diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc
index 45a9174607..319ac506b8 100644
--- a/docs/detections/detection-engine-intro.asciidoc
+++ b/docs/detections/detection-engine-intro.asciidoc
@@ -26,7 +26,7 @@ modifying your own rules.
 
 There are two special prebuilt rules you need to know about:
 
-* <<elastic-endpoint-security, *Elastic Endpoint Security*>>:
+* <<endpoint-security, *Endpoint Security*>>:
 Automatically creates an alert from all incoming Elastic Endpoint alerts. To
 receive Elastic Endpoint alerts, you must install the Endpoint agent on your
 hosts (see <<install-endpoint>>).
diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
index e70651c685..d1988928be 100644
--- a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
+++ b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
@@ -7,6 +7,105 @@ The following lists prebuilt rule updates per release. Only rules with
 significant modifications to their query or scope are listed. For detailed
 information about a rule's changes, see the rule's description page.
 
+[float]
+=== 7.10.0
+
+<<aws-ec2-snapshot-activity>>
+
+<<aws-execution-via-system-manager>>
+
+<<aws-iam-assume-role-policy-update>>
+
+<<aws-iam-brute-force-of-assume-role-policy>>
+
+<<aws-management-console-root-login>>
+
+<<aws-root-login-without-mfa>>
+
+<<aws-waf-rule-or-rule-group-deletion>>
+
+<<administrator-privileges-assigned-to-okta-group>>
+
+<<attempt-to-create-okta-api-token>>
+
+<<attempt-to-deactivate-mfa-for-okta-user-account>>
+
+<<attempt-to-deactivate-okta-mfa-rule>>
+
+<<attempt-to-deactivate-okta-policy>>
+
+<<attempt-to-delete-okta-policy>>
+
+<<attempt-to-modify-okta-mfa-rule>>
+
+<<attempt-to-modify-okta-network-zone>>
+
+<<attempt-to-modify-okta-policy>>
+
+<<attempt-to-reset-mfa-factors-for-okta-user-account>>
+
+<<attempt-to-revoke-okta-api-token>>
+
+<<attempted-bypass-of-okta-mfa>>
+
+<<command-prompt-network-connection>>
+
+<<connection-to-external-network-via-telnet>>
+
+<<connection-to-internal-network-via-telnet>>
+
+<<direct-outbound-smb-connection>>
+
+<<microsoft-build-engine-using-an-alternate-name>>
+
+<<modification-or-removal-of-an-okta-application-sign-on-policy>>
+
+<<msbuild-making-network-connections>>
+
+<<net-command-via-system-account>>
+
+<<netcat-network-activity>>
+
+<<network-connection-via-certutil>>
+
+<<network-connection-via-compiled-html-file>>
+
+<<network-connection-via-msxsl>>
+
+<<network-connection-via-registration-utility>>
+
+<<network-connection-via-signed-binary>>
+
+<<okta-brute-force-or-password-spraying-attack>>
+
+<<possible-okta-dos-attack>>
+
+<<potential-application-shimming-via-sdbinst>>
+
+<<potential-evasion-via-filter-manager>>
+
+<<potential-modification-of-accessibility-binaries>>
+
+<<process-activity-via-compiled-html-file>>
+
+<<process-discovery-via-tasklist>>
+
+<<psexec-network-connection>>
+
+<<suspicious-activity-reported-by-okta-user>>
+
+<<threat-detected-by-okta-threatinsight>>
+
+<<trusted-developer-application-usage>>
+
+<<unusual-network-connection-via-rundll32>>
+
+<<unusual-parent-child-relationship>>
+
+<<unusual-process-network-connection>>
+
+<<whoami-process-activity>>
+
 [float]
 === 7.9.0
 
@@ -100,9 +199,7 @@ information about a rule's changes, see the rule's description page.
 
 <<network-connection-via-msxsl>>
 
-<<network-connection-via-mshta>>
-
-<<network-connection-via-regsvr>>
+<<network-connection-via-registration-utility>>
 
 <<network-connection-via-signed-binary>>
 
@@ -219,19 +316,19 @@ These prebuilt rules have been updated:
 
 <<adding-hidden-file-attribute-via-attrib>>
 
-<<adversary-behavior-detected-elastic-endpoint-security>>
+<<adversary-behavior-detected-endpoint-security>>
 
 <<clearing-windows-event-logs>>
 
 <<command-prompt-network-connection>>
 
-<<credential-dumping-detected-elastic-endpoint-security>>
+<<credential-dumping-detected-endpoint-security>>
 
-<<credential-dumping-prevented-elastic-endpoint-security>>
+<<credential-dumping-prevented-endpoint-security>>
 
-<<credential-manipulation-detected-elastic-endpoint-security>>
+<<credential-manipulation-detected-endpoint-security>>
 
-<<credential-manipulation-prevented-elastic-endpoint-security>>
+<<credential-manipulation-prevented-endpoint-security>>
 
 <<dns-activity-to-the-internet>>
 
@@ -245,9 +342,9 @@ These prebuilt rules have been updated:
 
 <<encoding-or-decoding-files-via-certutil>>
 
-<<exploit-detected-elastic-endpoint-security>>
+<<exploit-detected-endpoint-security>>
 
-<<exploit-prevented-elastic-endpoint-security>>
+<<exploit-prevented-endpoint-security>>
 
 <<ftp-file-transfer-protocol-activity-to-the-internet>>
 
@@ -259,9 +356,9 @@ These prebuilt rules have been updated:
 
 <<local-service-commands>>
 
-<<malware-detected-elastic-endpoint-security>>
+<<malware-detected-endpoint-security>>
 
-<<malware-prevented-elastic-endpoint-security>>
+<<malware-prevented-endpoint-security>>
 
 <<mknod-process-activity>>
 
@@ -271,9 +368,7 @@ These prebuilt rules have been updated:
 
 <<network-connection-via-compiled-html-file>>
 
-<<network-connection-via-mshta>>
-
-<<network-connection-via-regsvr>>
+<<network-connection-via-registration-utility>>
 
 <<network-connection-via-signed-binary>>
 
@@ -283,9 +378,9 @@ These prebuilt rules have been updated:
 
 <<nping-process-activity>>
 
-<<permission-theft-detected-elastic-endpoint-security>>
+<<permission-theft-detected-endpoint-security>>
 
-<<permission-theft-prevented-elastic-endpoint-security>>
+<<permission-theft-prevented-endpoint-security>>
 
 <<persistence-via-kernel-module-modification>>
 
@@ -293,9 +388,9 @@ These prebuilt rules have been updated:
 
 <<potential-modification-of-accessibility-binaries>>
 
-<<process-injection-detected-elastic-endpoint-security>>
+<<process-injection-detected-endpoint-security>>
 
-<<process-injection-prevented-elastic-endpoint-security>>
+<<process-injection-prevented-endpoint-security>>
 
 <<proxy-port-activity-to-the-internet>>
 
@@ -309,9 +404,9 @@ These prebuilt rules have been updated:
 
 <<rpc-remote-procedure-call-to-the-internet>>
 
-<<ransomware-detected-elastic-endpoint-security>>
+<<ransomware-detected-endpoint-security>>
 
-<<ransomware-prevented-elastic-endpoint-security>>
+<<ransomware-prevented-endpoint-security>>
 
 <<smb-windows-file-sharing-activity-to-the-internet>>
 
diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc
index 67345ec9c1..128be54ab8 100644
--- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc
+++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc
@@ -16,410 +16,636 @@ and their rule type is `machine_learning`.
 |Rule |Description |Tags |Added |Version
 
 
-|<<aws-access-secret-in-secrets-manager, AWS Access Secret in Secrets Manager>> |An adversary may attempt to access the secrets in AWS Secrets Manager to steal certificates, credentials, or other sensitive material. |[AWS] [Elastic] [SecOps] [Data Protection] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-access-secret-in-secrets-manager, AWS Access Secret in Secrets Manager>> |An adversary may attempt to access the secrets in AWS Secrets Manager to steal certificates, credentials, or other sensitive material. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection]  |7.9.0 |2 <<aws-access-secret-in-secrets-manager-history, Version history>>
 
-|<<aws-cloudtrail-log-created, AWS CloudTrail Log Created>> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-cloudtrail-log-created, AWS CloudTrail Log Created>> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-cloudtrail-log-created-history, Version history>>
 
-|<<aws-cloudtrail-log-deleted, AWS CloudTrail Log Deleted>> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-cloudtrail-log-deleted, AWS CloudTrail Log Deleted>> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-cloudtrail-log-deleted-history, Version history>>
 
-|<<aws-cloudtrail-log-suspended, AWS CloudTrail Log Suspended>> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-cloudtrail-log-suspended, AWS CloudTrail Log Suspended>> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-cloudtrail-log-suspended-history, Version history>>
 
-|<<aws-cloudtrail-log-updated, AWS CloudTrail Log Updated>> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-cloudtrail-log-updated, AWS CloudTrail Log Updated>> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-cloudtrail-log-updated-history, Version history>>
 
-|<<aws-cloudwatch-alarm-deletion, AWS CloudWatch Alarm Deletion>> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[AWS] [Elastic] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-cloudwatch-alarm-deletion, AWS CloudWatch Alarm Deletion>> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<aws-cloudwatch-alarm-deletion-history, Version history>>
 
-|<<aws-cloudwatch-log-group-deletion, AWS CloudWatch Log Group Deletion>> |Identifies the deletion of a specific AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-cloudwatch-log-group-deletion, AWS CloudWatch Log Group Deletion>> |Identifies the deletion of a specific AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-cloudwatch-log-group-deletion-history, Version history>>
 
-|<<aws-cloudwatch-log-stream-deletion, AWS CloudWatch Log Stream Deletion>> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-cloudwatch-log-stream-deletion, AWS CloudWatch Log Stream Deletion>> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-cloudwatch-log-stream-deletion-history, Version history>>
 
-|<<aws-config-service-tampering, AWS Config Service Tampering>> |Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibility into the security posture of an account and/or its workload instances. |[AWS] [Elastic] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-config-service-tampering, AWS Config Service Tampering>> |Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibility into the security posture of an account and/or its workload instances. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<aws-config-service-tampering-history, Version history>>
 
-|<<aws-configuration-recorder-stopped, AWS Configuration Recorder Stopped>> |Identifies an AWS configuration change to stop recording a designated set of resources. |[AWS] [Elastic] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-configuration-recorder-stopped, AWS Configuration Recorder Stopped>> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<aws-configuration-recorder-stopped-history, Version history>>
 
-|<<aws-ec2-encryption-disabled, AWS EC2 Encryption Disabled>> |Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. |[AWS] [Elastic] [SecOps] [Data Protection] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-ec2-encryption-disabled, AWS EC2 Encryption Disabled>> |Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection]  |7.9.0 |2 <<aws-ec2-encryption-disabled-history, Version history>>
 
-|<<aws-ec2-flow-log-deletion, AWS EC2 Flow Log Deletion>> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-ec2-flow-log-deletion, AWS EC2 Flow Log Deletion>> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-ec2-flow-log-deletion-history, Version history>>
 
-|<<aws-ec2-network-access-control-list-creation, AWS EC2 Network Access Control List Creation>> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[AWS] [Elastic] [SecOps] [Network] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-ec2-network-access-control-list-creation, AWS EC2 Network Access Control List Creation>> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security]  |7.9.0 |2 <<aws-ec2-network-access-control-list-creation-history, Version history>>
 
-|<<aws-ec2-network-access-control-list-deletion, AWS EC2 Network Access Control List Deletion>> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[AWS] [Elastic] [SecOps] [Network] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-ec2-network-access-control-list-deletion, AWS EC2 Network Access Control List Deletion>> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security]  |7.9.0 |2 <<aws-ec2-network-access-control-list-deletion-history, Version history>>
 
-|<<aws-ec2-snapshot-activity, AWS EC2 Snapshot Activity>> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[AWS] [Elastic] [SecOps] [Asset Visibility] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-ec2-snapshot-activity, AWS EC2 Snapshot Activity>> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.9.0 |2 <<aws-ec2-snapshot-activity-history, Version history>>
 
-|<<aws-execution-via-system-manager, AWS Execution via System Manager>> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[AWS] [Elastic] [SecOps] [Logging] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-execution-via-system-manager, AWS Execution via System Manager>> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.9.0 |2 <<aws-execution-via-system-manager-history, Version history>>
 
-|<<aws-guardduty-detector-deletion, AWS GuardDuty Detector Deletion>> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[AWS] [Elastic] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-guardduty-detector-deletion, AWS GuardDuty Detector Deletion>> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<aws-guardduty-detector-deletion-history, Version history>>
 
-|<<aws-iam-assume-role-policy-update, AWS IAM Assume Role Policy Update>> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[AWS] [Elastic] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-iam-assume-role-policy-update, AWS IAM Assume Role Policy Update>> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<aws-iam-assume-role-policy-update-history, Version history>>
 
-|<<aws-iam-brute-force-of-assume-role-policy, AWS IAM Brute Force of Assume Role Policy>> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[AWS] [Elastic] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-iam-brute-force-of-assume-role-policy, AWS IAM Brute Force of Assume Role Policy>> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<aws-iam-brute-force-of-assume-role-policy-history, Version history>>
 
-|<<aws-iam-deactivation-of-mfa-device, AWS IAM Deactivation of MFA Device>> |Identifies the deactivation of a specific multi-factor authentication (MFA) device and removes its association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[AWS] [Elastic] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-iam-deactivation-of-mfa-device, AWS IAM Deactivation of MFA Device>> |Identifies the deactivation of a specific multi-factor authentication (MFA) device and removes its association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<aws-iam-deactivation-of-mfa-device-history, Version history>>
 
-|<<aws-iam-group-creation, AWS IAM Group Creation>> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. All users in a group automatically have the permissions that are assigned to the group. |[AWS] [Elastic] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-iam-group-creation, AWS IAM Group Creation>> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. All users in a group automatically have the permissions that are assigned to the group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<aws-iam-group-creation-history, Version history>>
 
-|<<aws-iam-group-deletion, AWS IAM Group Deletion>> |Identifies the deletion of a specific AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group, only the group structure. |[AWS] [Elastic] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-iam-group-deletion, AWS IAM Group Deletion>> |Identifies the deletion of a specific AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group, only the group structure. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<aws-iam-group-deletion-history, Version history>>
 
-|<<aws-iam-password-recovery-requested, AWS IAM Password Recovery Requested>> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[AWS] [Elastic] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-iam-password-recovery-requested, AWS IAM Password Recovery Requested>> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<aws-iam-password-recovery-requested-history, Version history>>
 
-|<<aws-iam-user-addition-to-group, AWS IAM User Addition to Group>> |Identifies the addition of a user to a specific group in AWS Identity and Access Management (IAM). |[AWS] [Elastic] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-iam-user-addition-to-group, AWS IAM User Addition to Group>> |Identifies the addition of a user to a specific group in AWS Identity and Access Management (IAM). |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<aws-iam-user-addition-to-group-history, Version history>>
 
-|<<aws-management-console-root-login, AWS Management Console Root Login>> |Identifies a successful login to the AWS Management Console by the Root user. |[AWS] [Elastic] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-management-console-brute-force-of-root-user-identity, AWS Management Console Brute Force of Root User Identity>> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<aws-rds-cluster-creation, AWS RDS Cluster Creation>> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[AWS] [Elastic] [SecOps] [Asset Visibility] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-management-console-root-login, AWS Management Console Root Login>> |Identifies a successful login to the AWS Management Console by the Root user. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<aws-management-console-root-login-history, Version history>>
 
-|<<aws-rds-cluster-deletion, AWS RDS Cluster Deletion>> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster. |[AWS] [Elastic] [SecOps] [Asset Visibility] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-rds-cluster-creation, AWS RDS Cluster Creation>> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.9.0 |2 <<aws-rds-cluster-creation-history, Version history>>
 
-|<<aws-rds-instance-cluster-stoppage, AWS RDS Instance/Cluster Stoppage>> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[AWS] [Elastic] [SecOps] [Asset Visibility] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-rds-cluster-deletion, AWS RDS Cluster Deletion>> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.9.0 |2 <<aws-rds-cluster-deletion-history, Version history>>
 
-|<<aws-root-login-without-mfa, AWS Root Login Without MFA>> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[AWS] [Elastic] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-rds-instance-cluster-stoppage, AWS RDS Instance/Cluster Stoppage>> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.9.0 |2 <<aws-rds-instance-cluster-stoppage-history, Version history>>
 
-|<<aws-s3-bucket-configuration-deletion, AWS S3 Bucket Configuration Deletion>> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[AWS] [Elastic] [SecOps] [Asset Visibility] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-root-login-without-mfa, AWS Root Login Without MFA>> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<aws-root-login-without-mfa-history, Version history>>
 
-|<<aws-waf-access-control-list-deletion, AWS WAF Access Control List Deletion>> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[AWS] [Elastic] [SecOps] [Network] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-s3-bucket-configuration-deletion, AWS S3 Bucket Configuration Deletion>> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.9.0 |2 <<aws-s3-bucket-configuration-deletion-history, Version history>>
 
-|<<aws-waf-rule-or-rule-group-deletion, AWS WAF Rule or Rule Group Deletion>> |Identifies the deletion of a specific AWS Web Application Firewall (WAF) rule or rule group. |[AWS] [Elastic] [SecOps] [Network] [Continuous Monitoring]  |7.9.0 |1
+|<<aws-waf-access-control-list-deletion, AWS WAF Access Control List Deletion>> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security]  |7.9.0 |2 <<aws-waf-access-control-list-deletion-history, Version history>>
 
-|<<adding-hidden-file-attribute-via-attrib, Adding Hidden File Attribute via Attrib>> |Adversaries can add the `hidden` attribute to files to hide them from the user in an attempt to evade detection. |[Elastic] [Windows]  |7.6.0 |4 <<adding-hidden-file-attribute-via-attrib-history, Version history>>
+|<<aws-waf-rule-or-rule-group-deletion, AWS WAF Rule or Rule Group Deletion>> |Identifies the deletion of a specific AWS Web Application Firewall (WAF) rule or rule group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security]  |7.9.0 |2 <<aws-waf-rule-or-rule-group-deletion-history, Version history>>
 
-|<<administrator-privileges-assigned-to-okta-group, Administrator Privileges Assigned to Okta Group>> |An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<abnormally-large-dns-response, Abnormally Large DNS Response>> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Elastic] [Network] [Threat Detection] [Lateral Movement]  |7.10.0 |1
 
-|<<adobe-hijack-persistence, Adobe Hijack Persistence>> |Detects the creation of an executable file or files that will be automatically run by Acrobat Reader when it starts. |[Elastic] [Windows]  |7.6.0 |4 <<adobe-hijack-persistence-history, Version history>>
+|<<adding-hidden-file-attribute-via-attrib, Adding Hidden File Attribute via Attrib>> |Adversaries can add the `hidden` attribute to files to hide them from the user in an attempt to evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<adding-hidden-file-attribute-via-attrib-history, Version history>>
 
-|<<adversary-behavior-detected-elastic-endpoint-security, Adversary Behavior - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<adversary-behavior-detected-elastic-endpoint-security-history, Version history>>
+|<<administrator-privileges-assigned-to-okta-group, Administrator Privileges Assigned to Okta Group>> |An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<administrator-privileges-assigned-to-okta-group-history, Version history>>
 
-|<<anomalous-process-for-a-linux-population, Anomalous Process For a Linux Population>> |Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<anomalous-process-for-a-linux-population-history, Version history>>
+|<<adobe-hijack-persistence, Adobe Hijack Persistence>> |Detects the creation of an executable file or files that will be automatically run by Acrobat Reader when it starts. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |5 <<adobe-hijack-persistence-history, Version history>>
 
-|<<anomalous-process-for-a-windows-population, Anomalous Process For a Windows Population>> |Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<anomalous-process-for-a-windows-population-history, Version history>>
+|<<adversary-behavior-detected-endpoint-security, Adversary Behavior - Detected - Endpoint Security>> |Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<adversary-behavior-detected-endpoint-security-history, Version history>>
 
-|<<anomalous-windows-process-creation, Anomalous Windows Process Creation>> |Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<anomalous-windows-process-creation-history, Version history>>
+|<<anomalous-kernel-module-activity, Anomalous Kernel Module Activity>> |Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
 
-|<<attempt-to-create-okta-api-token, Attempt to Create Okta API Token>> |An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts, or disabling security rules or policies. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<anomalous-linux-compiler-activity, Anomalous Linux Compiler Activity>> |Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
 
-|<<attempt-to-deactivate-mfa-for-okta-user-account, Attempt to Deactivate MFA for Okta User Account>> |An adversary may deactivate multi-factor authentication (MFA) for an Okta user account in order to weaken the authentication requirements for the account. |[Elastic] [Okta] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<anomalous-process-for-a-linux-population, Anomalous Process For a Linux Population>> |Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<anomalous-process-for-a-linux-population-history, Version history>>
 
-|<<attempt-to-deactivate-okta-mfa-rule, Attempt to Deactivate Okta MFA Rule>> |An adversary may attempt to deactivate an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls. |[Elastic] [Okta] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<anomalous-process-for-a-windows-population, Anomalous Process For a Windows Population>> |Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<anomalous-process-for-a-windows-population-history, Version history>>
 
-|<<attempt-to-deactivate-okta-policy, Attempt to Deactivate Okta Policy>> |An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<anomalous-windows-process-creation, Anomalous Windows Process Creation>> |Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<anomalous-windows-process-creation-history, Version history>>
 
-|<<attempt-to-delete-okta-policy, Attempt to Delete Okta Policy>> |An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<attempt-to-create-okta-api-token, Attempt to Create Okta API Token>> |An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts, or disabling security rules or policies. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<attempt-to-create-okta-api-token-history, Version history>>
 
-|<<attempt-to-disable-iptables-or-firewall, Attempt to Disable IPTables or Firewall>> |Identifies attempts to disable ip tables or a firewall service, a technique adversaries can use to modify the network traffic hosts are allowed to send and receive. |[Elastic] [Linux]  |7.8.0 |3 <<attempt-to-disable-iptables-or-firewall-history, Version history>>
+|<<attempt-to-deactivate-mfa-for-okta-user-account, Attempt to Deactivate MFA for Okta User Account>> |An adversary may deactivate multi-factor authentication (MFA) for an Okta user account in order to weaken the authentication requirements for the account. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<attempt-to-deactivate-mfa-for-okta-user-account-history, Version history>>
 
-|<<attempt-to-disable-syslog-service, Attempt to Disable Syslog Service>> |Identifies attempts to disable the `syslog` service, a technique adversaries can use to disrupt event logging and evade detection by security controls. |[Elastic] [Linux]  |7.8.0 |3 <<attempt-to-disable-syslog-service-history, Version history>>
+|<<attempt-to-deactivate-okta-mfa-rule, Attempt to Deactivate Okta MFA Rule>> |An adversary may attempt to deactivate an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<attempt-to-deactivate-okta-mfa-rule-history, Version history>>
 
-|<<attempt-to-modify-okta-mfa-rule, Attempt to Modify Okta MFA Rule>> |An adversary may attempt to modify an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls. |[Elastic] [Okta] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<attempt-to-deactivate-okta-policy, Attempt to Deactivate Okta Policy>> |An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<attempt-to-deactivate-okta-policy-history, Version history>>
 
-|<<attempt-to-modify-okta-network-zone, Attempt to Modify Okta Network Zone>> |Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Elastic] [Okta] [SecOps] [Network] [Continuous Monitoring]  |7.9.0 |1
+|<<attempt-to-delete-okta-policy, Attempt to Delete Okta Policy>> |An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<attempt-to-delete-okta-policy-history, Version history>>
 
-|<<attempt-to-modify-okta-policy, Attempt to Modify Okta Policy>> |An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<attempt-to-disable-iptables-or-firewall, Attempt to Disable IPTables or Firewall>> |Identifies attempts to disable ip tables or a firewall service, a technique adversaries can use to modify the network traffic hosts are allowed to send and receive. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<attempt-to-disable-iptables-or-firewall-history, Version history>>
 
-|<<attempt-to-reset-mfa-factors-for-okta-user-account, Attempt to Reset MFA Factors for Okta User Account>> |An adversary may attempt to remove the multi-factor authentication (MFA) factors registered on an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. |[Elastic] [Okta] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<attempt-to-disable-syslog-service, Attempt to Disable Syslog Service>> |Identifies attempts to disable the `syslog` service, a technique adversaries can use to disrupt event logging and evade detection by security controls. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<attempt-to-disable-syslog-service-history, Version history>>
 
-|<<attempt-to-revoke-okta-api-token, Attempt to Revoke Okta API Token>> |Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<attempt-to-modify-okta-mfa-rule, Attempt to Modify Okta MFA Rule>> |An adversary may attempt to modify an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<attempt-to-modify-okta-mfa-rule-history, Version history>>
 
-|<<attempted-bypass-of-okta-mfa, Attempted Bypass of Okta MFA>> |An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs. |[Elastic] [Okta] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<attempt-to-modify-okta-network-zone, Attempt to Modify Okta Network Zone>> |Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Network Security]  |7.9.0 |2 <<attempt-to-modify-okta-network-zone-history, Version history>>
 
-|<<base16-or-base32-encoding-decoding-activity, Base16 or Base32 Encoding/Decoding Activity>> |Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls. |[Elastic] [Linux]  |7.8.0 |3 <<base16-or-base32-encoding-decoding-activity-history, Version history>>
+|<<attempt-to-modify-okta-policy, Attempt to Modify Okta Policy>> |An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<attempt-to-modify-okta-policy-history, Version history>>
 
-|<<base64-encoding-decoding-activity, Base64 Encoding/Decoding Activity>> |Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls. |[Elastic] [Linux]  |7.8.0 |3 <<base64-encoding-decoding-activity-history, Version history>>
+|<<attempt-to-reset-mfa-factors-for-okta-user-account, Attempt to Reset MFA Factors for Okta User Account>> |An adversary may attempt to remove the multi-factor authentication (MFA) factors registered on an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<attempt-to-reset-mfa-factors-for-okta-user-account-history, Version history>>
 
-|<<bypass-uac-via-event-viewer, Bypass UAC via Event Viewer>> |Identifies User Account Control (UAC) bypass via `eventvwr.exe.` Attackers bypass UAC to stealthily execute code with elevated permissions. |[Elastic] [Windows]  |7.7.0 |3 <<bypass-uac-via-event-viewer-history, Version history>>
+|<<attempt-to-revoke-okta-api-token, Attempt to Revoke Okta API Token>> |Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<attempt-to-revoke-okta-api-token-history, Version history>>
 
-|<<clearing-windows-event-logs, Clearing Windows Event Logs>> |Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Elastic] [Windows]  |7.6.0 |4 <<clearing-windows-event-logs-history, Version history>>
+|<<attempted-bypass-of-okta-mfa, Attempted Bypass of Okta MFA>> |An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<attempted-bypass-of-okta-mfa-history, Version history>>
 
-|<<command-prompt-network-connection, Command Prompt Network Connection>> |Identifies `cmd.exe` making a network connection. Adversaries can abuse `cmd.exe` to download or execute malware from a remote URL. |[Elastic] [Windows]  |7.6.0 |4 <<command-prompt-network-connection-history, Version history>>
+|<<attempts-to-brute-force-an-okta-user-account, Attempts to Brute Force an Okta User Account>> |Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<connection-to-external-network-via-telnet, Connection to External Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Elastic] [Linux]  |7.8.0 |3 <<connection-to-external-network-via-telnet-history, Version history>>
+|<<azure-automation-account-created, Azure Automation Account Created>> |Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<connection-to-internal-network-via-telnet, Connection to Internal Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. |[Elastic] [Linux]  |7.8.0 |3 <<connection-to-internal-network-via-telnet-history, Version history>>
+|<<azure-automation-runbook-created-or-modified, Azure Automation Runbook Created or Modified>> |Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<creation-of-hidden-files-and-directories, Creation of Hidden Files and Directories>> |Users can mark specific files as hidden simply by adding a `.` as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. |[Elastic] [Linux]  |7.9.0 |2 <<creation-of-hidden-files-and-directories-history, Version history>>
+|<<azure-automation-runbook-deleted, Azure Automation Runbook Deleted>> |Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<credential-dumping-detected-elastic-endpoint-security, Credential Dumping - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<credential-dumping-detected-elastic-endpoint-security-history, Version history>>
+|<<azure-automation-webhook-created, Azure Automation Webhook Created>> |Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<credential-dumping-prevented-elastic-endpoint-security, Credential Dumping - Prevented - Elastic Endpoint Security>> |Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<credential-dumping-prevented-elastic-endpoint-security-history, Version history>>
+|<<azure-blob-container-access-level-modification, Azure Blob Container Access Level Modification>> |Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Asset Visibility]  |7.10.0 |1
 
-|<<credential-manipulation-detected-elastic-endpoint-security, Credential Manipulation - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<credential-manipulation-detected-elastic-endpoint-security-history, Version history>>
+|<<azure-command-execution-on-virtual-machine, Azure Command Execution on Virtual Machine>> |Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<credential-manipulation-prevented-elastic-endpoint-security, Credential Manipulation - Prevented - Elastic Endpoint Security>> |Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<credential-manipulation-prevented-elastic-endpoint-security-history, Version history>>
+|<<azure-conditional-access-policy-modified, Azure Conditional Access Policy Modified>> |Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<dns-activity-to-the-internet, DNS Activity to the Internet>> |Detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications. |[Elastic] [Network]  |7.6.0 |4 <<dns-activity-to-the-internet-history, Version history>>
+|<<azure-diagnostic-settings-deletion, Azure Diagnostic Settings Deletion>> |Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Monitoring]  |7.10.0 |1
 
-|<<dns-tunneling, DNS Tunneling>> |Detects unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, `dnscat` tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. |[Elastic] [ML] [Packetbeat]  |7.7.0 |2 <<dns-tunneling-history, Version history>>
+|<<azure-event-hub-authorization-rule-created-or-updated, Azure Event Hub Authorization Rule Created or Updated>> |Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<delete-volume-usn-journal-with-fsutil, Delete Volume USN Journal with Fsutil>> |Identifies use of the `fsutil.exe` to delete the `USNJRNL` volume. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. |[Elastic] [Windows]  |7.6.0 |4 <<delete-volume-usn-journal-with-fsutil-history, Version history>>
+|<<azure-event-hub-deletion, Azure Event Hub Deletion>> |Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<deleting-backup-catalogs-with-wbadmin, Deleting Backup Catalogs with Wbadmin>> |Identifies use of the `wbadmin.exe` to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. |[Elastic] [Windows]  |7.6.0 |4 <<deleting-backup-catalogs-with-wbadmin-history, Version history>>
+|<<azure-external-guest-user-invitation, Azure External Guest User Invitation>> |Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<deletion-of-bash-command-line-history, Deletion of Bash Command Line History>> |Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations. |[Elastic] [Linux]  |7.9.0 |2 <<deletion-of-bash-command-line-history-history, Version history>>
+|<<azure-firewall-policy-deletion, Azure Firewall Policy Deletion>> |Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Network Security]  |7.10.0 |1
 
-|<<direct-outbound-smb-connection, Direct Outbound SMB Connection>> |Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. |[Elastic] [Windows]  |7.6.0 |4 <<direct-outbound-smb-connection-history, Version history>>
+|<<azure-global-administrator-role-addition-to-pim-user, Azure Global Administrator Role Addition to PIM User>> |Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<disable-windows-firewall-rules-via-netsh, Disable Windows Firewall Rules via Netsh>> |Identifies use of the `netsh.exe` to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. |[Elastic] [Windows]  |7.6.0 |4 <<disable-windows-firewall-rules-via-netsh-history, Version history>>
+|<<azure-key-vault-modified, Azure Key Vault Modified>> |Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Data Protection]  |7.10.0 |1
 
-|<<elastic-endpoint-security, Elastic Endpoint Security>> |Generates a detection alert each time an Elastic Endpoint alert is received. Enabling this rule allows you to immediately begin investigating your Elastic Endpoint alerts. |[Elastic] [Endpoint]  |7.9.0 |1
+|<<azure-network-watcher-deletion, Azure Network Watcher Deletion>> |Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Network Security]  |7.10.0 |1
 
-|<<encoding-or-decoding-files-via-certutil, Encoding or Decoding Files via CertUtil>> |Identifies the use of `certutil.exe` to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration. |[Elastic] [Windows]  |7.6.0 |4 <<encoding-or-decoding-files-via-certutil-history, Version history>>
+|<<azure-privilege-identity-management-role-modified, Azure Privilege Identity Management Role Modified>> |Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<enumeration-of-kernel-modules, Enumeration of Kernel Modules>> |Identifies attempts to enumerate information about a kernel module. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. |[Elastic] [Linux]  |7.8.0 |3 <<enumeration-of-kernel-modules-history, Version history>>
+|<<azure-resource-group-deletion, Azure Resource Group Deletion>> |Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<execution-via-regsvcs-regasm, Execution via Regsvcs/Regasm>> |`RegSvcs.exe` and `RegAsm.exe` are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use `RegSvcs.exe` and `RegAsm.exe` to proxy execution of code through a trusted Windows utility. |[Elastic] [Windows]  |7.7.0 |3 <<execution-via-regsvcs-regasm-history, Version history>>
+|<<azure-storage-account-key-regenerated, Azure Storage Account Key Regenerated>> |Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<exploit-detected-elastic-endpoint-security, Exploit - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<exploit-detected-elastic-endpoint-security-history, Version history>>
+|<<base16-or-base32-encoding-decoding-activity, Base16 or Base32 Encoding/Decoding Activity>> |Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<base16-or-base32-encoding-decoding-activity-history, Version history>>
 
-|<<exploit-prevented-elastic-endpoint-security, Exploit - Prevented - Elastic Endpoint Security>> |Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<exploit-prevented-elastic-endpoint-security-history, Version history>>
+|<<base64-encoding-decoding-activity, Base64 Encoding/Decoding Activity>> |Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<base64-encoding-decoding-activity-history, Version history>>
 
-|<<external-alerts, External Alerts>> |Generates a detection alert for each external alert written to the configured securitySolution:defaultIndex. Enabling this rule allows you to immediately begin investigating external alerts in the app. |[Elastic]  |7.9.0 |1
+|<<bypass-uac-via-event-viewer, Bypass UAC via Event Viewer>> |Identifies User Account Control (UAC) bypass via `eventvwr.exe.` Attackers bypass UAC to stealthily execute code with elevated permissions. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.7.0 |4 <<bypass-uac-via-event-viewer-history, Version history>>
 
-|<<ftp-file-transfer-protocol-activity-to-the-internet, FTP (File Transfer Protocol) Activity to the Internet>> |Detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized. |[Elastic] [Network]  |7.6.0 |4 <<ftp-file-transfer-protocol-activity-to-the-internet-history, Version history>>
+|<<clearing-windows-event-logs, Clearing Windows Event Logs>> |Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<clearing-windows-event-logs-history, Version history>>
 
-|<<file-deletion-via-shred, File Deletion via Shred>> |Identifies file deletions using the `shred` command. Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. |[Elastic] [Linux]  |7.8.0 |3 <<file-deletion-via-shred-history, Version history>>
+|<<cobalt-strike-command-and-control-beacon, Cobalt Strike Command and Control Beacon>> |Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. |[Elastic] [Network] [Threat Detection] [Command and Control]  |7.10.0 |1
 
-|<<file-permission-modification-in-writable-directory, File Permission Modification in Writable Directory>> |Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory, and change permissions prior to execution. |[Elastic] [Linux]  |7.8.0 |3 <<file-permission-modification-in-writable-directory-history, Version history>>
+|<<command-prompt-network-connection, Command Prompt Network Connection>> |Identifies `cmd.exe` making a network connection. Adversaries can abuse `cmd.exe` to download or execute malware from a remote URL. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<command-prompt-network-connection-history, Version history>>
 
-|<<hex-encoding-decoding-activity, Hex Encoding/Decoding Activity>> |Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls. |[Elastic] [Linux]  |7.8.0 |3 <<hex-encoding-decoding-activity-history, Version history>>
+|<<compression-of-keychain-credentials-directories, Compression of Keychain Credentials Directories>> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access]  |7.10.0 |1
 
-|<<hping-process-activity, Hping Process Activity>> |Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. |[Elastic] [Linux]  |7.6.0 |4 <<hping-process-activity-history, Version history>>
+|<<conhost-spawned-by-suspicious-parent-process, Conhost Spawned By Suspicious Parent Process>> |Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
 
-|<<ipsec-nat-traversal-port-activity, IPSEC NAT Traversal Port Activity>> |Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection. |[Elastic] [Network]  |7.6.0 |3 <<ipsec-nat-traversal-port-activity-history, Version history>>
+|<<connection-to-external-network-via-telnet, Connection to External Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Elastic] [Host] [Linux] [Threat Detection] [Lateral Movement]  |7.8.0 |4 <<connection-to-external-network-via-telnet-history, Version history>>
 
-|<<irc-internet-relay-chat-protocol-activity-to-the-internet, IRC (Internet Relay Chat) Protocol Activity to the Internet>> |Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network. |[Elastic] [Network]  |7.6.0 |4 <<irc-internet-relay-chat-protocol-activity-to-the-internet-history, Version history>>
+|<<connection-to-internal-network-via-telnet, Connection to Internal Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. |[Elastic] [Host] [Linux] [Threat Detection] [Lateral Movement]  |7.8.0 |4 <<connection-to-internal-network-via-telnet-history, Version history>>
 
-|<<interactive-terminal-spawned-via-perl, Interactive Terminal Spawned via Perl>> |Identifies when a terminal (`tty`) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive `tty` after obtaining initial access to a host. |[Elastic] [Linux]  |7.8.0 |3 <<interactive-terminal-spawned-via-perl-history, Version history>>
+|<<creation-of-hidden-files-and-directories, Creation of Hidden Files and Directories>> |Users can mark specific files as hidden simply by adding a `.` as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.9.0 |3 <<creation-of-hidden-files-and-directories-history, Version history>>
 
-|<<interactive-terminal-spawned-via-python, Interactive Terminal Spawned via Python>> |Identifies when a terminal (`tty`) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive `tty` after obtaining initial access to a host. |[Elastic] [Linux]  |7.8.0 |3 <<interactive-terminal-spawned-via-python-history, Version history>>
+|<<creation-or-modification-of-domain-backup-dpapi-private-key, Creation or Modification of Domain Backup DPAPI private key>> |Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.10.0 |1
 
-|<<kernel-module-removal, Kernel Module Removal>> |Identifies attempts to remove a kernel module. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. |[Elastic] [Linux]  |7.8.0 |3 <<kernel-module-removal-history, Version history>>
+|<<creation-or-modification-of-a-new-gpo-scheduled-task-or-service, Creation or Modification of a new GPO Scheduled Task or Service>> |Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.10.0 |1
 
-|<<local-scheduled-task-commands, Local Scheduled Task Commands>> |A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Windows]  |7.6.0 |4 <<local-scheduled-task-commands-history, Version history>>
+|<<credential-dumping-detected-endpoint-security, Credential Dumping - Detected - Endpoint Security>> |Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<credential-dumping-detected-endpoint-security-history, Version history>>
 
-|<<local-service-commands, Local Service Commands>> |Identifies use of `sc.exe` to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. |[Elastic] [Windows]  |7.6.0 |4 <<local-service-commands-history, Version history>>
+|<<credential-dumping-prevented-endpoint-security, Credential Dumping - Prevented - Endpoint Security>> |Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<credential-dumping-prevented-endpoint-security-history, Version history>>
 
-|<<malware-detected-elastic-endpoint-security, Malware - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<malware-detected-elastic-endpoint-security-history, Version history>>
+|<<credential-manipulation-detected-endpoint-security, Credential Manipulation - Detected - Endpoint Security>> |Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<credential-manipulation-detected-endpoint-security-history, Version history>>
 
-|<<malware-prevented-elastic-endpoint-security, Malware - Prevented - Elastic Endpoint Security>> |Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<malware-prevented-elastic-endpoint-security-history, Version history>>
+|<<credential-manipulation-prevented-endpoint-security, Credential Manipulation - Prevented - Endpoint Security>> |Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<credential-manipulation-prevented-endpoint-security-history, Version history>>
 
-|<<microsoft-build-engine-loading-windows-credential-libraries, Microsoft Build Engine Loading Windows Credential Libraries>> |An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping. |[Elastic] [Windows]  |7.7.0 |3 <<microsoft-build-engine-loading-windows-credential-libraries-history, Version history>>
+|<<dns-activity-to-the-internet, DNS Activity to the Internet>> |Detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications. |[Elastic] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<dns-activity-to-the-internet-history, Version history>>
 
-|<<microsoft-build-engine-started-an-unusual-process, Microsoft Build Engine Started an Unusual Process>> |An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. |[Elastic] [Windows]  |7.7.0 |3 <<microsoft-build-engine-started-an-unusual-process-history, Version history>>
+|<<dns-tunneling, DNS Tunneling>> |Detects unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, `dnscat` tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. |[Elastic] [Network] [Threat Detection] [ML]  |7.7.0 |3 <<dns-tunneling-history, Version history>>
 
-|<<microsoft-build-engine-started-by-a-script-process, Microsoft Build Engine Started by a Script Process>> |An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. |[Elastic] [Windows]  |7.7.0 |3 <<microsoft-build-engine-started-by-a-script-process-history, Version history>>
+|<<delete-volume-usn-journal-with-fsutil, Delete Volume USN Journal with Fsutil>> |Identifies use of the `fsutil.exe` to delete the `USNJRNL` volume. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<delete-volume-usn-journal-with-fsutil-history, Version history>>
 
-|<<microsoft-build-engine-started-by-a-system-process, Microsoft Build Engine Started by a System Process>> |An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. |[Elastic] [Windows]  |7.7.0 |3 <<microsoft-build-engine-started-by-a-system-process-history, Version history>>
+|<<deleting-backup-catalogs-with-wbadmin, Deleting Backup Catalogs with Wbadmin>> |Identifies use of the `wbadmin.exe` to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<deleting-backup-catalogs-with-wbadmin-history, Version history>>
 
-|<<microsoft-build-engine-started-by-an-office-application, Microsoft Build Engine Started by an Office Application>> |An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload. |[Elastic] [Windows]  |7.7.0 |3 <<microsoft-build-engine-started-by-an-office-application-history, Version history>>
+|<<deletion-of-bash-command-line-history, Deletion of Bash Command Line History>> |Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.9.0 |3 <<deletion-of-bash-command-line-history-history, Version history>>
 
-|<<microsoft-build-engine-using-an-alternate-name, Microsoft Build Engine Using an Alternate Name>> |An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run MSBuild unnoticed or undetected. |[Elastic] [Windows]  |7.7.0 |3 <<microsoft-build-engine-using-an-alternate-name-history, Version history>>
+|<<direct-outbound-smb-connection, Direct Outbound SMB Connection>> |Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.6.0 |5 <<direct-outbound-smb-connection-history, Version history>>
 
-|<<mknod-process-activity, Mknod Process Activity>> |The Linux `mknod` program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of `netcat` is not available to the payload. |[Elastic] [Linux]  |7.6.0 |4 <<mknod-process-activity-history, Version history>>
+|<<disable-windows-firewall-rules-via-netsh, Disable Windows Firewall Rules via Netsh>> |Identifies use of the `netsh.exe` to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<disable-windows-firewall-rules-via-netsh-history, Version history>>
 
-|<<modification-of-boot-configuration, Modification of Boot Configuration>> |Identifies use of `bcdedit.exe` to delete boot configuration data. Malware and attackers sometimes use this tactic as a destructive technique. |[Elastic] [Windows]  |7.7.0 |3 <<modification-of-boot-configuration-history, Version history>>
+|<<encoding-or-decoding-files-via-certutil, Encoding or Decoding Files via CertUtil>> |Identifies the use of `certutil.exe` to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<encoding-or-decoding-files-via-certutil-history, Version history>>
 
-|<<modification-or-removal-of-an-okta-application-sign-on-policy, Modification or Removal of an Okta Application Sign-On Policy>> |An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls. |[Elastic] [Okta] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<endpoint-security, Endpoint Security>> |Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |[Elastic] [Endpoint Security]  |7.9.0 |2 <<endpoint-security-history, Version history>>
 
-|<<msbuild-making-network-connections, MsBuild Making Network Connections>> |Identifies `MsBuild.exe` making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection. |[Elastic] [Windows]  |7.6.0 |4 <<msbuild-making-network-connections-history, Version history>>
+|<<enumeration-of-kernel-modules, Enumeration of Kernel Modules>> |Identifies attempts to enumerate information about a kernel module. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. |[Elastic] [Host] [Linux] [Threat Detection] [Discovery]  |7.8.0 |4 <<enumeration-of-kernel-modules-history, Version history>>
 
-|<<net-command-via-system-account, Net command via SYSTEM account>> |Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections. |[Elastic] [Windows]  |7.7.0 |3 <<net-command-via-system-account-history, Version history>>
+|<<execution-of-file-written-or-modified-by-microsoft-office, Execution of File Written or Modified by Microsoft Office>> |Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
 
-|<<netcat-network-activity, Netcat Network Activity>> |A `netcat` process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. |[Elastic] [Linux]  |7.6.0 |4 <<netcat-network-activity-history, Version history>>
+|<<execution-of-file-written-or-modified-by-pdf-reader, Execution of File Written or Modified by PDF Reader>> |Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
 
-|<<network-connection-via-certutil, Network Connection via Certutil>> |Identifies `certutil.exe` making a network connection. Adversaries could abuse `certutil.exe` to download a certificate or malware from a remote URL. |[Elastic] [Windows]  |7.7.0 |3 <<network-connection-via-certutil-history, Version history>>
+|<<execution-via-mssql-xp_cmdshell-stored-procedure, Execution via MSSQL xp_cmdshell Stored Procedure>> |Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
 
-|<<network-connection-via-compiled-html-file, Network Connection via Compiled HTML File>> |Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (`hh.exe`). |[Elastic] [Windows]  |7.6.0 |4 <<network-connection-via-compiled-html-file-history, Version history>>
+|<<execution-via-regsvcs-regasm, Execution via Regsvcs/Regasm>> |`RegSvcs.exe` and `RegAsm.exe` are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use `RegSvcs.exe` and `RegAsm.exe` to proxy execution of code through a trusted Windows utility. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.7.0 |4 <<execution-via-regsvcs-regasm-history, Version history>>
 
-|<<network-connection-via-msxsl, Network Connection via MsXsl>> |Identifies `msxsl.exe` making a network connection. This may indicate adversarial activity as `msxsl.exe` is often leveraged by adversaries to execute malicious scripts and evade detection. |[Elastic] [Windows]  |7.7.0 |3 <<network-connection-via-msxsl-history, Version history>>
+|<<exploit-detected-endpoint-security, Exploit - Detected - Endpoint Security>> |Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<exploit-detected-endpoint-security-history, Version history>>
 
-|<<network-connection-via-mshta, Network Connection via Mshta>> |Identifies `mshta.exe` making a network connection. This may indicate adversarial activity as `mshta.exe` is often leveraged by adversaries to execute malicious scripts and evade detection. |[Elastic] [Windows]  |7.6.0 |4 <<network-connection-via-mshta-history, Version history>>
+|<<exploit-prevented-endpoint-security, Exploit - Prevented - Endpoint Security>> |Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<exploit-prevented-endpoint-security-history, Version history>>
 
-|<<network-connection-via-regsvr, Network Connection via Regsvr>> |Identifies the native Windows tools `regsvr32.exe` and `regsvr64.exe` making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. |[Elastic] [Windows]  |7.6.0 |4 <<network-connection-via-regsvr-history, Version history>>
+|<<external-alerts, External Alerts>> |Generates a detection alert for each external alert written to the configured securitySolution:defaultIndex. Enabling this rule allows you to immediately begin investigating external alerts in the app. |[Elastic] [Network] [Windows] [APM] [macOS] [Linux]  |7.9.0 |2 <<external-alerts-history, Version history>>
 
-|<<network-connection-via-signed-binary, Network Connection via Signed Binary>> |Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. |[Elastic] [Windows]  |7.6.0 |4 <<network-connection-via-signed-binary-history, Version history>>
+|<<ftp-file-transfer-protocol-activity-to-the-internet, FTP (File Transfer Protocol) Activity to the Internet>> |Detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<ftp-file-transfer-protocol-activity-to-the-internet-history, Version history>>
 
-|<<network-sniffing-via-tcpdump, Network Sniffing via Tcpdump>> |The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion. |[Elastic] [Linux]  |7.6.0 |4 <<network-sniffing-via-tcpdump-history, Version history>>
+|<<file-deletion-via-shred, File Deletion via Shred>> |Identifies file deletions using the `shred` command. Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<file-deletion-via-shred-history, Version history>>
 
-|<<nmap-process-activity, Nmap Process Activity>> |Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement. |[Elastic] [Linux]  |7.6.0 |4 <<nmap-process-activity-history, Version history>>
+|<<file-permission-modification-in-writable-directory, File Permission Modification in Writable Directory>> |Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory, and change permissions prior to execution. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<file-permission-modification-in-writable-directory-history, Version history>>
 
-|<<nping-process-activity, Nping Process Activity>> |Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. |[Elastic] [Linux]  |7.6.0 |4 <<nping-process-activity-history, Version history>>
+|<<gcp-firewall-rule-creation, GCP Firewall Rule Creation>> |Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<okta-brute-force-or-password-spraying-attack, Okta Brute Force or Password Spraying Attack>> |Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. |[Elastic] [Okta] [SecOps] [Identity and Access] [Continuous Monitoring]  |7.9.0 |1
+|<<gcp-firewall-rule-deletion, GCP Firewall Rule Deletion>> |Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<pptp-point-to-point-tunneling-protocol-activity, PPTP (Point to Point Tunneling Protocol) Activity>> |Detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection. |[Elastic] [Network]  |7.6.0 |3 <<pptp-point-to-point-tunneling-protocol-activity-history, Version history>>
+|<<gcp-firewall-rule-modification, GCP Firewall Rule Modification>> |Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<permission-theft-detected-elastic-endpoint-security, Permission Theft - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<permission-theft-detected-elastic-endpoint-security-history, Version history>>
+|<<gcp-iam-custom-role-creation, GCP IAM Custom Role Creation>> |Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<permission-theft-prevented-elastic-endpoint-security, Permission Theft - Prevented - Elastic Endpoint Security>> |Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<permission-theft-prevented-elastic-endpoint-security-history, Version history>>
+|<<gcp-iam-role-deletion, GCP IAM Role Deletion>> |Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<persistence-via-kernel-module-modification, Persistence via Kernel Module Modification>> |Identifies loadable kernel module errors, which are often indicative of potential persistence attempts. |[Elastic] [Linux]  |7.6.0 |4 <<persistence-via-kernel-module-modification-history, Version history>>
+|<<gcp-iam-service-account-key-deletion, GCP IAM Service Account Key Deletion>> |Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<possible-okta-dos-attack, Possible Okta DoS Attack>> |An adversary may attempt to disrupt an organization's business operations by performing a denial of service (DoS) attack against its Okta infrastructure. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<gcp-logging-bucket-deletion, GCP Logging Bucket Deletion>> |Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<potential-application-shimming-via-sdbinst, Potential Application Shimming via Sdbinst>> |The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. |[Elastic] [Windows]  |7.6.0 |3 <<potential-application-shimming-via-sdbinst-history, Version history>>
+|<<gcp-logging-sink-deletion, GCP Logging Sink Deletion>> |Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<potential-dns-tunneling-via-iodine, Potential DNS Tunneling via Iodine>> |Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection. |[Elastic] [Linux]  |7.6.0 |4 <<potential-dns-tunneling-via-iodine-history, Version history>>
+|<<gcp-logging-sink-modification, GCP Logging Sink Modification>> |Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<potential-disabling-of-selinux, Potential Disabling of SELinux>> |Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature that supports access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Elastic] [Linux]  |7.8.0 |3 <<potential-disabling-of-selinux-history, Version history>>
+|<<gcp-pub-sub-subscription-creation, GCP Pub/Sub Subscription Creation>> |Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<potential-evasion-via-filter-manager, Potential Evasion via Filter Manager>> |The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. |[Elastic] [Windows]  |7.6.0 |3 <<potential-evasion-via-filter-manager-history, Version history>>
+|<<gcp-pub-sub-subscription-deletion, GCP Pub/Sub Subscription Deletion>> |Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<potential-modification-of-accessibility-binaries, Potential Modification of Accessibility Binaries>> |Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. |[Elastic] [Windows]  |7.6.0 |3 <<potential-modification-of-accessibility-binaries-history, Version history>>
+|<<gcp-pub-sub-topic-creation, GCP Pub/Sub Topic Creation>> |Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<potential-shell-via-web-server, Potential Shell via Web Server>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Elastic] [Linux]  |7.6.0 |5 <<potential-shell-via-web-server-history, Version history>>
+|<<gcp-pub-sub-topic-deletion, GCP Pub/Sub Topic Deletion>> |Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Log Auditing]  |7.10.0 |1
 
-|<<powershell-spawning-cmd, PowerShell spawning Cmd>> |Identifies a suspicious parent child process relationship with `cmd.exe` descending from `PowerShell.exe`. |[Elastic] [Windows]  |7.6.0 |4 <<powershell-spawning-cmd-history, Version history>>
+|<<gcp-service-account-creation, GCP Service Account Creation>> |Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<process-activity-via-compiled-html-file, Process Activity via Compiled HTML File>> |Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (`hh.exe`). |[Elastic] [Windows]  |7.6.0 |3 <<process-activity-via-compiled-html-file-history, Version history>>
+|<<gcp-service-account-deletion, GCP Service Account Deletion>> |Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<process-discovery-via-tasklist, Process Discovery via Tasklist>> |Adversaries may attempt to get information about running processes on a system. |[Elastic] [Windows]  |7.6.0 |3 <<process-discovery-via-tasklist-history, Version history>>
+|<<gcp-service-account-disabled, GCP Service Account Disabled>> |Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<process-injection-detected-elastic-endpoint-security, Process Injection - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<process-injection-detected-elastic-endpoint-security-history, Version history>>
+|<<gcp-service-account-key-creation, GCP Service Account Key Creation>> |Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<process-injection-prevented-elastic-endpoint-security, Process Injection - Prevented - Elastic Endpoint Security>> |Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<process-injection-prevented-elastic-endpoint-security-history, Version history>>
+|<<gcp-storage-bucket-configuration-modification, GCP Storage Bucket Configuration Modification>> |Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<process-injection-by-the-microsoft-build-engine, Process Injection by the Microsoft Build Engine>> |An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges. |[Elastic] [Windows]  |7.7.0 |2 <<process-injection-by-the-microsoft-build-engine-history, Version history>>
+|<<gcp-storage-bucket-deletion, GCP Storage Bucket Deletion>> |Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Monitoring]  |7.10.0 |1
 
-|<<proxy-port-activity-to-the-internet, Proxy Port Activity to the Internet>> |Detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms. |[Elastic] [Network]  |7.6.0 |4 <<proxy-port-activity-to-the-internet-history, Version history>>
+|<<gcp-storage-bucket-permissions-modification, GCP Storage Bucket Permissions Modification>> |Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<psexec-network-connection, PsExec Network Connection>> |Identifies use of the SysInternals tool `PsExec.exe` making a network connection. This could be an indication of lateral movement. |[Elastic] [Windows]  |7.6.0 |4 <<psexec-network-connection-history, Version history>>
+|<<gcp-virtual-private-cloud-network-deletion, GCP Virtual Private Cloud Network Deletion>> |Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<rdp-remote-desktop-protocol-from-the-internet, RDP (Remote Desktop Protocol) from the Internet>> |Detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<rdp-remote-desktop-protocol-from-the-internet-history, Version history>>
+|<<gcp-virtual-private-cloud-route-creation, GCP Virtual Private Cloud Route Creation>> |Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<rdp-remote-desktop-protocol-to-the-internet, RDP (Remote Desktop Protocol) to the Internet>> |Detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<rdp-remote-desktop-protocol-to-the-internet-history, Version history>>
+|<<gcp-virtual-private-cloud-route-deletion, GCP Virtual Private Cloud Route Deletion>> |Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment. |[Elastic] [Cloud] [GCP] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
-|<<rpc-remote-procedure-call-from-the-internet, RPC (Remote Procedure Call) from the Internet>> |Detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<rpc-remote-procedure-call-from-the-internet-history, Version history>>
+|<<halfbaked-command-and-control-beacon, Halfbaked Command and Control Beacon>> |Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control. |[Elastic] [Network] [Threat Detection] [Command and Control]  |7.10.0 |1
 
-|<<rpc-remote-procedure-call-to-the-internet, RPC (Remote Procedure Call) to the Internet>> |Detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<rpc-remote-procedure-call-to-the-internet-history, Version history>>
+|<<hex-encoding-decoding-activity, Hex Encoding/Decoding Activity>> |Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<hex-encoding-decoding-activity-history, Version history>>
 
-|<<ransomware-detected-elastic-endpoint-security, Ransomware - Detected - Elastic Endpoint Security>> |Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<ransomware-detected-elastic-endpoint-security-history, Version history>>
+|<<high-number-of-okta-user-password-reset-or-unlock-attempts, High Number of Okta User Password Reset or Unlock Attempts>> |Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<ransomware-prevented-elastic-endpoint-security, Ransomware - Prevented - Elastic Endpoint Security>> |Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint]  |7.6.0 |3 <<ransomware-prevented-elastic-endpoint-security-history, Version history>>
+|<<hosts-file-modified, Hosts File Modified>> |The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. |[Elastic] [Host] [Linux] [Windows] [macOS] [Threat Detection] [Impact]  |7.10.0 |1
 
-|<<rare-aws-error-code, Rare AWS Error Code>> |A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. |[AWS] [Elastic] [ML]  |7.9.0 |1
+|<<hping-process-activity, Hping Process Activity>> |Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<hping-process-activity-history, Version history>>
 
-|<<smb-windows-file-sharing-activity-to-the-internet, SMB (Windows File Sharing) Activity to the Internet>> |Detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back- door vector or for data exfiltration. |[Elastic] [Network]  |7.6.0 |4 <<smb-windows-file-sharing-activity-to-the-internet-history, Version history>>
+|<<iis-http-logging-disabled, IIS HTTP Logging Disabled>> |Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
 
-|<<smtp-on-port-26-tcp, SMTP on Port 26/TCP>> |Detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. |[Elastic] [Network]  |7.6.0 |3 <<smtp-on-port-26-tcp-history, Version history>>
+|<<ipsec-nat-traversal-port-activity, IPSEC NAT Traversal Port Activity>> |Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |4 <<ipsec-nat-traversal-port-activity-history, Version history>>
 
-|<<smtp-to-the-internet, SMTP to the Internet>> |Detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration. |[Elastic] [Network]  |7.6.0 |4 <<smtp-to-the-internet-history, Version history>>
+|<<irc-internet-relay-chat-protocol-activity-to-the-internet, IRC (Internet Relay Chat) Protocol Activity to the Internet>> |Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<irc-internet-relay-chat-protocol-activity-to-the-internet-history, Version history>>
 
-|<<sql-traffic-to-the-internet, SQL Traffic to the Internet>> |Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources. |[Elastic] [Network]  |7.6.0 |4 <<sql-traffic-to-the-internet-history, Version history>>
+|<<inbound-connection-to-an-unsecure-elasticsearch-node, Inbound Connection to an Unsecure Elasticsearch Node>> |Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port. |[Elastic] [Network] [Threat Detection] [Initial Access]  |7.10.0 |1
 
-|<<ssh-secure-shell-from-the-internet, SSH (Secure Shell) from the Internet>> |Detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<ssh-secure-shell-from-the-internet-history, Version history>>
+|<<installutil-process-making-network-connections, InstallUtil Process Making Network Connections>> |Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
 
-|<<ssh-secure-shell-to-the-internet, SSH (Secure Shell) to the Internet>> |Detects network events that may indicate the use of SSH traffic to the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<ssh-secure-shell-to-the-internet-history, Version history>>
+|<<installation-of-custom-shim-databases, Installation of Custom Shim Databases>> |Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.10.0 |1
 
-|<<setgid-bit-set-via-chmod, Setgid Bit Set via chmod>> |An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. |[Elastic] [Linux]  |7.8.0 |3 <<setgid-bit-set-via-chmod-history, Version history>>
+|<<interactive-terminal-spawned-via-perl, Interactive Terminal Spawned via Perl>> |Identifies when a terminal (`tty`) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive `tty` after obtaining initial access to a host. |[Elastic] [Host] [Linux] [Threat Detection] [Execution]  |7.8.0 |4 <<interactive-terminal-spawned-via-perl-history, Version history>>
 
-|<<setuid-bit-set-via-chmod, Setuid Bit Set via chmod>> |An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. |[Elastic] [Linux]  |7.8.0 |3 <<setuid-bit-set-via-chmod-history, Version history>>
+|<<interactive-terminal-spawned-via-python, Interactive Terminal Spawned via Python>> |Identifies when a terminal (`tty`) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive `tty` after obtaining initial access to a host. |[Elastic] [Host] [Linux] [Threat Detection] [Execution]  |7.8.0 |4 <<interactive-terminal-spawned-via-python-history, Version history>>
 
-|<<socat-process-activity, Socat Process Activity>> |A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. |[Elastic] [Linux]  |7.6.0 |4 <<socat-process-activity-history, Version history>>
+|<<kerberos-cached-credentials-dumping, Kerberos Cached Credentials Dumping>> |Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access]  |7.10.0 |1
 
-|<<spike-in-aws-error-messages, Spike in AWS Error Messages>> |A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. |[AWS] [Elastic] [ML]  |7.9.0 |1
+|<<kernel-module-removal, Kernel Module Removal>> |Identifies attempts to remove a kernel module. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<kernel-module-removal-history, Version history>>
 
-|<<strace-process-activity, Strace Process Activity>> |Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally. |[Elastic] [Linux]  |7.6.0 |4 <<strace-process-activity-history, Version history>>
+|<<local-scheduled-task-commands, Local Scheduled Task Commands>> |A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |5 <<local-scheduled-task-commands-history, Version history>>
 
-|<<sudoers-file-modification, Sudoers File Modification>> |A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. |[Elastic] [Linux]  |7.8.0 |3 <<sudoers-file-modification-history, Version history>>
+|<<local-service-commands, Local Service Commands>> |Identifies use of `sc.exe` to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<local-service-commands-history, Version history>>
 
-|<<suspicious-activity-reported-by-okta-user, Suspicious Activity Reported by Okta User>> |This rule detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<malware-detected-endpoint-security, Malware - Detected - Endpoint Security>> |Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<malware-detected-endpoint-security-history, Version history>>
 
-|<<suspicious-ms-office-child-process, Suspicious MS Office Child Process>> |Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. |[Elastic] [Windows]  |7.6.0 |4 <<suspicious-ms-office-child-process-history, Version history>>
+|<<malware-prevented-endpoint-security, Malware - Prevented - Endpoint Security>> |Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<malware-prevented-endpoint-security-history, Version history>>
 
-|<<suspicious-ms-outlook-child-process, Suspicious MS Outlook Child Process>> |Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. |[Elastic] [Windows]  |7.6.0 |4 <<suspicious-ms-outlook-child-process-history, Version history>>
+|<<microsoft-build-engine-loading-windows-credential-libraries, Microsoft Build Engine Loading Windows Credential Libraries>> |An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.7.0 |4 <<microsoft-build-engine-loading-windows-credential-libraries-history, Version history>>
 
-|<<suspicious-pdf-reader-child-process, Suspicious PDF Reader Child Process>> |Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. |[Elastic] [Windows]  |7.7.0 |3 <<suspicious-pdf-reader-child-process-history, Version history>>
+|<<microsoft-build-engine-started-an-unusual-process, Microsoft Build Engine Started an Unusual Process>> |An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |4 <<microsoft-build-engine-started-an-unusual-process-history, Version history>>
 
-|<<suspicious-powershell-script, Suspicious Powershell Script>> |A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<suspicious-powershell-script-history, Version history>>
+|<<microsoft-build-engine-started-by-a-script-process, Microsoft Build Engine Started by a Script Process>> |An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |4 <<microsoft-build-engine-started-by-a-script-process-history, Version history>>
 
-|<<svchost-spawning-cmd, Svchost spawning Cmd>> |Identifies a suspicious parent-child process relationship with cmd.exe descending from `svchost.exe`. |[Elastic] [Windows]  |7.6.0 |4 <<svchost-spawning-cmd-history, Version history>>
+|<<microsoft-build-engine-started-by-a-system-process, Microsoft Build Engine Started by a System Process>> |An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |4 <<microsoft-build-engine-started-by-a-system-process-history, Version history>>
 
-|<<system-shells-via-services, System Shells via Services>> |Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. |[Elastic] [Windows]  |7.6.0 |4 <<system-shells-via-services-history, Version history>>
+|<<microsoft-build-engine-started-by-an-office-application, Microsoft Build Engine Started by an Office Application>> |An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |4 <<microsoft-build-engine-started-by-an-office-application-history, Version history>>
 
-|<<tcp-port-8000-activity-to-the-internet, TCP Port 8000 Activity to the Internet>> |TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy. |[Elastic] [Network]  |7.6.0 |4 <<tcp-port-8000-activity-to-the-internet-history, Version history>>
+|<<microsoft-build-engine-using-an-alternate-name, Microsoft Build Engine Using an Alternate Name>> |An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run MSBuild unnoticed or undetected. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |4 <<microsoft-build-engine-using-an-alternate-name-history, Version history>>
 
-|<<telnet-port-activity, Telnet Port Activity>> |Detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Elastic] [Network]  |7.6.0 |3 <<telnet-port-activity-history, Version history>>
+|<<microsoft-iis-connection-strings-decryption, Microsoft IIS Connection Strings Decryption>> |Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.10.0 |1
 
-|<<threat-detected-by-okta-threatinsight, Threat Detected by Okta ThreatInsight>> |This rule detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential-based attacks against their organization, such as brute-force and password-spraying attacks. |[Elastic] [Okta] [SecOps] [Monitoring] [Continuous Monitoring]  |7.9.0 |1
+|<<microsoft-iis-service-account-password-dumped, Microsoft IIS Service Account Password Dumped>> |Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.10.0 |1
 
-|<<tor-activity-to-the-internet, Tor Activity to the Internet>> |Detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection. |[Elastic] [Network]  |7.6.0 |4 <<tor-activity-to-the-internet-history, Version history>>
+|<<mimikatz-memssp-log-file-detected, Mimikatz Memssp Log File Detected>> |Identifies the password log file from the default Mimikatz memssp module. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access]  |7.10.0 |1
 
-|<<trusted-developer-application-usage, Trusted Developer Application Usage>> |Identifies possibly suspicious activity using a trusted Windows developer utility program. |[Elastic] [Windows]  |7.6.0 |3 <<trusted-developer-application-usage-history, Version history>>
+|<<mknod-process-activity, Mknod Process Activity>> |The Linux `mknod` program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of `netcat` is not available to the payload. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<mknod-process-activity-history, Version history>>
 
-|<<unusual-aws-command-for-a-user, Unusual AWS Command for a User>> |A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. |[AWS] [Elastic] [ML]  |7.9.0 |1
+|<<modification-of-boot-configuration, Modification of Boot Configuration>> |Identifies use of `bcdedit.exe` to delete boot configuration data. Malware and attackers sometimes use this tactic as a destructive technique. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |4 <<modification-of-boot-configuration-history, Version history>>
 
-|<<unusual-city-for-an-aws-command, Unusual City For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different location from the authorized users. |[AWS] [Elastic] [ML]  |7.9.0 |1
+|<<modification-or-removal-of-an-okta-application-sign-on-policy, Modification or Removal of an Okta Application Sign-On Policy>> |An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<modification-or-removal-of-an-okta-application-sign-on-policy-history, Version history>>
 
-|<<unusual-country-for-an-aws-command, Unusual Country For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different location from the authorized users. |[AWS] [Elastic] [ML]  |7.9.0 |1
+|<<msbuild-making-network-connections, MsBuild Making Network Connections>> |Identifies `MsBuild.exe` making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<msbuild-making-network-connections-history, Version history>>
 
-|<<unusual-dns-activity, Unusual DNS Activity>> |A machine learning job detected a rare and unusual DNS query that indicates network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Elastic] [ML] [Packetbeat]  |7.7.0 |2 <<unusual-dns-activity-history, Version history>>
+|<<mshta-making-network-connections, Mshta Making Network Connections>> |Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
 
-|<<unusual-linux-network-activity, Unusual Linux Network Activity>> |Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<unusual-linux-network-activity-history, Version history>>
+|<<multi-factor-authentication-disabled-for-an-azure-user, Multi-Factor Authentication Disabled for an Azure User>> |Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<unusual-linux-network-port-activity, Unusual Linux Network Port Activity>> |Identifies unusual destination port activity that can indicate command-and- control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<unusual-linux-network-port-activity-history, Version history>>
+|<<net-command-via-system-account, Net command via SYSTEM account>> |Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.7.0 |4 <<net-command-via-system-account-history, Version history>>
 
-|<<unusual-linux-network-service, Unusual Linux Network Service>> |Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<unusual-linux-network-service-history, Version history>>
+|<<netcat-network-activity, Netcat Network Activity>> |A `netcat` process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<netcat-network-activity-history, Version history>>
 
-|<<unusual-linux-username, Unusual Linux Username>> |A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<unusual-linux-username-history, Version history>>
+|<<network-connection-via-certutil, Network Connection via Certutil>> |Identifies `certutil.exe` making a network connection. Adversaries could abuse `certutil.exe` to download a certificate or malware from a remote URL. |[Elastic] [Host] [Windows] [Threat Detection] [Command and Control]  |7.7.0 |4 <<network-connection-via-certutil-history, Version history>>
 
-|<<unusual-linux-web-activity, Unusual Linux Web Activity>> |A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<unusual-linux-web-activity-history, Version history>>
+|<<network-connection-via-compiled-html-file, Network Connection via Compiled HTML File>> |Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (`hh.exe`). |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<network-connection-via-compiled-html-file-history, Version history>>
 
-|<<unusual-login-activity, Unusual Login Activity>> |Identifies an unusually high number of authentication attempts. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<unusual-login-activity-history, Version history>>
+|<<network-connection-via-msxsl, Network Connection via MsXsl>> |Identifies `msxsl.exe` making a network connection. This may indicate adversarial activity as `msxsl.exe` is often leveraged by adversaries to execute malicious scripts and evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.7.0 |4 <<network-connection-via-msxsl-history, Version history>>
 
-|<<unusual-network-connection-via-rundll32, Unusual Network Connection via RunDLL32>> |Identifies unusual instances of `rundll32.exe` making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs. |[Elastic] [Windows]  |7.6.0 |5 <<unusual-network-connection-via-rundll32-history, Version history>>
+|<<network-connection-via-registration-utility, Network Connection via Registration Utility>> |Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<network-connection-via-registration-utility-history, Version history>>
 
-|<<unusual-network-destination-domain-name, Unusual Network Destination Domain Name>> |A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Elastic] [ML] [Packetbeat]  |7.7.0 |2 <<unusual-network-destination-domain-name-history, Version history>>
+|<<network-connection-via-signed-binary, Network Connection via Signed Binary>> |Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<network-connection-via-signed-binary-history, Version history>>
 
-|<<unusual-parent-child-relationship, Unusual Parent-Child Relationship>> |Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. |[Elastic] [Windows]  |7.6.0 |4 <<unusual-parent-child-relationship-history, Version history>>
+|<<network-sniffing-via-tcpdump, Network Sniffing via Tcpdump>> |The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion. |[Elastic] [Host] [Linux] [Threat Detection] [Credential Access]  |7.6.0 |5 <<network-sniffing-via-tcpdump-history, Version history>>
 
-|<<unusual-process-execution-temp, Unusual Process Execution - Temp>> |Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware. |[Elastic] [Linux]  |7.6.0 |4 <<unusual-process-execution-temp-history, Version history>>
+|<<nmap-process-activity, Nmap Process Activity>> |Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<nmap-process-activity-history, Version history>>
 
-|<<unusual-process-for-a-linux-host, Unusual Process For a Linux Host>> |Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. |[Elastic] [Linux] [ML]  |7.7.0 |2 <<unusual-process-for-a-linux-host-history, Version history>>
+|<<nping-process-activity, Nping Process Activity>> |Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<nping-process-activity-history, Version history>>
 
-|<<unusual-process-for-a-windows-host, Unusual Process For a Windows Host>> |Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<unusual-process-for-a-windows-host-history, Version history>>
+|<<okta-brute-force-or-password-spraying-attack, Okta Brute Force or Password Spraying Attack>> |Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.9.0 |2 <<okta-brute-force-or-password-spraying-attack-history, Version history>>
 
-|<<unusual-process-network-connection, Unusual Process Network Connection>> |Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. |[Elastic] [Windows]  |7.6.0 |4 <<unusual-process-network-connection-history, Version history>>
+|<<pptp-point-to-point-tunneling-protocol-activity, PPTP (Point to Point Tunneling Protocol) Activity>> |Detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |4 <<pptp-point-to-point-tunneling-protocol-activity-history, Version history>>
 
-|<<unusual-web-request, Unusual Web Request>> |A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command- and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic. |[Elastic] [ML] [Packetbeat]  |7.7.0 |2 <<unusual-web-request-history, Version history>>
+|<<permission-theft-detected-endpoint-security, Permission Theft - Detected - Endpoint Security>> |Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<permission-theft-detected-endpoint-security-history, Version history>>
 
-|<<unusual-web-user-agent, Unusual Web User Agent>> |A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity. |[Elastic] [ML] [Packetbeat]  |7.7.0 |2 <<unusual-web-user-agent-history, Version history>>
+|<<permission-theft-prevented-endpoint-security, Permission Theft - Prevented - Endpoint Security>> |Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<permission-theft-prevented-endpoint-security-history, Version history>>
 
-|<<unusual-windows-network-activity, Unusual Windows Network Activity>> |Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<unusual-windows-network-activity-history, Version history>>
+|<<persistence-via-kernel-module-modification, Persistence via Kernel Module Modification>> |Identifies loadable kernel module errors, which are often indicative of potential persistence attempts. |[Elastic] [Host] [Linux] [Threat Detection] [Persistence]  |7.6.0 |5 <<persistence-via-kernel-module-modification-history, Version history>>
 
-|<<unusual-windows-path-activity, Unusual Windows Path Activity>> |Identifies processes started from atypical folders in the file system, which may indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<unusual-windows-path-activity-history, Version history>>
+|<<persistence-via-telemetrycontroller-scheduled-task-hijack, Persistence via TelemetryController Scheduled Task Hijack>> |Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.10.0 |1
 
-|<<unusual-windows-remote-user, Unusual Windows Remote User>> |A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<unusual-windows-remote-user-history, Version history>>
+|<<persistence-via-update-orchestrator-service-hijack, Persistence via Update Orchestrator Service Hijack>> |Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.10.0 |1
 
-|<<unusual-windows-service, Unusual Windows Service>> |A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<unusual-windows-service-history, Version history>>
+|<<possible-consent-grant-attack-via-azure-registered-application, Possible Consent Grant Attack via Azure-Registered Application>> |Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Identity and Access]  |7.10.0 |1
 
-|<<unusual-windows-user-privilege-elevation-activity, Unusual Windows User Privilege Elevation Activity>> |A machine learning job detected an unusual user context switch, using the `runas` command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like `runas` are more commonly used by domain and network administrators than by regular Windows users. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<unusual-windows-user-privilege-elevation-activity-history, Version history>>
+|<<possible-fin7-dga-command-and-control-behavior, Possible FIN7 DGA Command and Control Behavior>> |This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network. |[Elastic] [Network] [Threat Detection] [Command and Control]  |7.10.0 |1
 
-|<<unusual-windows-username, Unusual Windows Username>> |A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. |[Elastic] [ML] [Windows]  |7.7.0 |2 <<unusual-windows-username-history, Version history>>
+|<<possible-okta-dos-attack, Possible Okta DoS Attack>> |An adversary may attempt to disrupt an organization's business operations by performing a denial of service (DoS) attack against its Okta infrastructure. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<possible-okta-dos-attack-history, Version history>>
 
-|<<user-account-creation, User Account Creation>> |Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain. |[Elastic] [Windows]  |7.6.0 |4 <<user-account-creation-history, Version history>>
+|<<potential-application-shimming-via-sdbinst, Potential Application Shimming via Sdbinst>> |The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |4 <<potential-application-shimming-via-sdbinst-history, Version history>>
 
-|<<user-discovery-via-whoami, User Discovery via Whoami>> |The `whoami` application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access. |[Elastic] [Linux]  |7.6.0 |4 <<user-discovery-via-whoami-history, Version history>>
+|<<potential-dll-sideloading-via-trusted-microsoft-programs, Potential DLL SideLoading via Trusted Microsoft Programs>> |Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
 
-|<<vnc-virtual-network-computing-from-the-internet, VNC (Virtual Network Computing) from the Internet>> |Detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<vnc-virtual-network-computing-from-the-internet-history, Version history>>
+|<<potential-dns-tunneling-via-iodine, Potential DNS Tunneling via Iodine>> |Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<potential-dns-tunneling-via-iodine-history, Version history>>
 
-|<<vnc-virtual-network-computing-to-the-internet, VNC (Virtual Network Computing) to the Internet>> |Detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Network]  |7.6.0 |4 <<vnc-virtual-network-computing-to-the-internet-history, Version history>>
+|<<potential-disabling-of-selinux, Potential Disabling of SELinux>> |Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature that supports access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Elastic] [Host] [Linux] [Threat Detection] [Defense Evasion]  |7.8.0 |4 <<potential-disabling-of-selinux-history, Version history>>
 
-|<<virtual-machine-fingerprinting, Virtual Machine Fingerprinting>> |An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware. |[Elastic] [Linux]  |7.8.0 |3 <<virtual-machine-fingerprinting-history, Version history>>
+|<<potential-evasion-via-filter-manager, Potential Evasion via Filter Manager>> |The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |4 <<potential-evasion-via-filter-manager-history, Version history>>
 
-|<<volume-shadow-copy-deletion-via-vssadmin, Volume Shadow Copy Deletion via VssAdmin>> |Identifies use of `vssadmin.exe` for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Elastic] [Windows]  |7.6.0 |4 <<volume-shadow-copy-deletion-via-vssadmin-history, Version history>>
+|<<potential-modification-of-accessibility-binaries, Potential Modification of Accessibility Binaries>> |Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |4 <<potential-modification-of-accessibility-binaries-history, Version history>>
 
-|<<volume-shadow-copy-deletion-via-wmic, Volume Shadow Copy Deletion via WMIC>> |Identifies use of `wmic.exe` for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Elastic] [Windows]  |7.6.0 |4 <<volume-shadow-copy-deletion-via-wmic-history, Version history>>
+|<<potential-secure-file-deletion-via-sdelete-utility, Potential Secure File Deletion via SDelete Utility>> |Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
 
-|<<web-application-suspicious-activity-no-user-agent, Web Application Suspicious Activity: No User Agent>> |A request to a web application server contained no identifying user agent string. |[APM] [Elastic]  |7.6.0 |3 <<web-application-suspicious-activity-no-user-agent-history, Version history>>
+|<<potential-shell-via-web-server, Potential Shell via Web Server>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Elastic] [Host] [Linux] [Threat Detection] [Persistence]  |7.6.0 |6 <<potential-shell-via-web-server-history, Version history>>
 
-|<<web-application-suspicious-activity-post-request-declined, Web Application Suspicious Activity: POST Request Declined>> |A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed. |[APM] [Elastic]  |7.6.0 |3 <<web-application-suspicious-activity-post-request-declined-history, Version history>>
+|<<powershell-spawning-cmd, PowerShell spawning Cmd>> |Identifies a suspicious parent child process relationship with `cmd.exe` descending from `PowerShell.exe`. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<powershell-spawning-cmd-history, Version history>>
 
-|<<web-application-suspicious-activity-unauthorized-method, Web Application Suspicious Activity: Unauthorized Method>> |A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource. |[APM] [Elastic]  |7.6.0 |3 <<web-application-suspicious-activity-unauthorized-method-history, Version history>>
+|<<process-activity-via-compiled-html-file, Process Activity via Compiled HTML File>> |Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (`hh.exe`). |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |4 <<process-activity-via-compiled-html-file-history, Version history>>
 
-|<<web-application-suspicious-activity-sqlmap-user-agent, Web Application Suspicious Activity: sqlmap User Agent>> |This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. |[APM] [Elastic]  |7.6.0 |3 <<web-application-suspicious-activity-sqlmap-user-agent-history, Version history>>
+|<<process-discovery-via-tasklist, Process Discovery via Tasklist>> |Adversaries may attempt to get information about running processes on a system. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.6.0 |4 <<process-discovery-via-tasklist-history, Version history>>
 
-|<<whoami-process-activity, Whoami Process Activity>> |Identifies use of `whoami.exe` which displays user, group, and privileges information for the user who is currently logged on to the local system. |[Elastic] [Windows]  |7.6.0 |3 <<whoami-process-activity-history, Version history>>
+|<<process-injection-detected-endpoint-security, Process Injection - Detected - Endpoint Security>> |Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<process-injection-detected-endpoint-security-history, Version history>>
 
-|<<windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball, Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)>> |A spoofing vulnerability exists in the way Windows CryptoAPI (`Crypt32.dll`) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. |[Elastic] [Windows]  |7.7.0 |2 <<windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball-history, Version history>>
+|<<process-injection-prevented-endpoint-security, Process Injection - Prevented - Endpoint Security>> |Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<process-injection-prevented-endpoint-security-history, Version history>>
 
-|<<windows-script-executing-powershell, Windows Script Executing PowerShell>> |Identifies a PowerShell process launched by either `cscript.exe` or `wscript.exe`. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. |[Elastic] [Windows]  |7.6.0 |4 <<windows-script-executing-powershell-history, Version history>>
+|<<process-injection-by-the-microsoft-build-engine, Process Injection by the Microsoft Build Engine>> |An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |3 <<process-injection-by-the-microsoft-build-engine-history, Version history>>
+
+|<<process-potentially-masquerading-as-werfault, Process Potentially Masquerading as WerFault>> |Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<proxy-port-activity-to-the-internet, Proxy Port Activity to the Internet>> |Detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<proxy-port-activity-to-the-internet-history, Version history>>
+
+|<<psexec-network-connection, PsExec Network Connection>> |Identifies use of the SysInternals tool `PsExec.exe` making a network connection. This could be an indication of lateral movement. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<psexec-network-connection-history, Version history>>
+
+|<<public-ip-reconnaissance-activity, Public IP Reconnaissance Activity>> |Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot. |[Elastic] [Network] [Threat Detection] [Discovery]  |7.10.0 |1
+
+|<<rdp-remote-desktop-protocol-from-the-internet, RDP (Remote Desktop Protocol) from the Internet>> |Detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<rdp-remote-desktop-protocol-from-the-internet-history, Version history>>
+
+|<<rdp-remote-desktop-protocol-to-the-internet, RDP (Remote Desktop Protocol) to the Internet>> |Detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Initial Access]  |7.6.0 |5 <<rdp-remote-desktop-protocol-to-the-internet-history, Version history>>
+
+|<<rpc-remote-procedure-call-from-the-internet, RPC (Remote Procedure Call) from the Internet>> |Detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Initial Access]  |7.6.0 |5 <<rpc-remote-procedure-call-from-the-internet-history, Version history>>
+
+|<<rpc-remote-procedure-call-to-the-internet, RPC (Remote Procedure Call) to the Internet>> |Detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Initial Access]  |7.6.0 |5 <<rpc-remote-procedure-call-to-the-internet-history, Version history>>
+
+|<<ransomware-detected-endpoint-security, Ransomware - Detected - Endpoint Security>> |Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<ransomware-detected-endpoint-security-history, Version history>>
+
+|<<ransomware-prevented-endpoint-security, Ransomware - Prevented - Endpoint Security>> |Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. |[Elastic] [Endpoint Security]  |7.6.0 |4 <<ransomware-prevented-endpoint-security-history, Version history>>
+
+|<<rare-aws-error-code, Rare AWS Error Code>> |A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. |[Elastic] [Cloud] [AWS] [ML]  |7.9.0 |2 <<rare-aws-error-code-history, Version history>>
+
+|<<remote-file-copy-via-teamviewer, Remote File Copy via TeamViewer>> |Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. |[Elastic] [Host] [Windows] [Threat Detection] [Command and Control]  |7.10.0 |1
+
+|<<remote-file-download-via-desktopimgdownldr-utility, Remote File Download via Desktopimgdownldr Utility>> |Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. |[Elastic] [Host] [Windows] [Threat Detection] [Command and Control]  |7.10.0 |1
+
+|<<remote-file-download-via-mpcmdrun, Remote File Download via MpCmdRun>> |Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file. |[Elastic] [Host] [Windows] [Threat Detection] [Command and Control]  |7.10.0 |1
+
+|<<remote-ssh-login-enabled-via-systemsetup-command, Remote SSH Login Enabled via systemsetup Command>> |Detects use of the systemsetup command to enable remote SSH Login. |[Elastic] [Host] [macOS] [Threat Detection] [Lateral Movement]  |7.10.0 |1
+
+|<<renamed-autoit-scripts-interpreter, Renamed AutoIt Scripts Interpreter>> |Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet, Roshal Archive (RAR) or PowerShell File Downloaded from the Internet>> |Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. |[Elastic] [Network] [Threat Detection] [Command and Control]  |7.10.0 |1
+
+|<<smb-windows-file-sharing-activity-to-the-internet, SMB (Windows File Sharing) Activity to the Internet>> |Detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back- door vector or for data exfiltration. |[Elastic] [Host] [Network] [Threat Detection] [Initial Access]  |7.6.0 |5 <<smb-windows-file-sharing-activity-to-the-internet-history, Version history>>
+
+|<<smtp-on-port-26-tcp, SMTP on Port 26/TCP>> |Detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |4 <<smtp-on-port-26-tcp-history, Version history>>
+
+|<<smtp-to-the-internet, SMTP to the Internet>> |Detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<smtp-to-the-internet-history, Version history>>
+
+|<<sql-traffic-to-the-internet, SQL Traffic to the Internet>> |Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<sql-traffic-to-the-internet-history, Version history>>
+
+|<<ssh-secure-shell-from-the-internet, SSH (Secure Shell) from the Internet>> |Detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<ssh-secure-shell-from-the-internet-history, Version history>>
+
+|<<ssh-secure-shell-to-the-internet, SSH (Secure Shell) to the Internet>> |Detects network events that may indicate the use of SSH traffic to the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<ssh-secure-shell-to-the-internet-history, Version history>>
+
+|<<service-command-lateral-movement, Service Command Lateral Movement>> |Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. |[Elastic] [Host] [Windows] [Threat Detection] [Lateral Movement]  |7.10.0 |1
+
+|<<setgid-bit-set-via-chmod, Setgid Bit Set via chmod>> |An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. |[Elastic] [Host] [Linux] [Threat Detection] [Privilege Escalation]  |7.8.0 |4 <<setgid-bit-set-via-chmod-history, Version history>>
+
+|<<setuid-bit-set-via-chmod, Setuid Bit Set via chmod>> |An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. |[Elastic] [Host] [Linux] [Threat Detection] [Privilege Escalation]  |7.8.0 |4 <<setuid-bit-set-via-chmod-history, Version history>>
+
+|<<socat-process-activity, Socat Process Activity>> |A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<socat-process-activity-history, Version history>>
+
+|<<spike-in-aws-error-messages, Spike in AWS Error Messages>> |A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. |[Elastic] [Cloud] [AWS] [ML]  |7.9.0 |2 <<spike-in-aws-error-messages-history, Version history>>
+
+|<<strace-process-activity, Strace Process Activity>> |Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<strace-process-activity-history, Version history>>
+
+|<<sudoers-file-modification, Sudoers File Modification>> |A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. |[Elastic] [Host] [Linux] [Threat Detection] [Privilege Escalation]  |7.8.0 |4 <<sudoers-file-modification-history, Version history>>
+
+|<<suspicious-.net-code-compilation, Suspicious .NET Code Compilation>> |Identifies suspicious .NET code execution. connections. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<suspicious-activity-reported-by-okta-user, Suspicious Activity Reported by Okta User>> |This rule detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<suspicious-activity-reported-by-okta-user-history, Version history>>
+
+|<<suspicious-endpoint-security-parent-process, Suspicious Endpoint Security Parent Process>> |A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<suspicious-ms-office-child-process, Suspicious MS Office Child Process>> |Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<suspicious-ms-office-child-process-history, Version history>>
+
+|<<suspicious-ms-outlook-child-process, Suspicious MS Outlook Child Process>> |Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<suspicious-ms-outlook-child-process-history, Version history>>
+
+|<<suspicious-managed-code-hosting-process, Suspicious Managed Code Hosting Process>> |Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<suspicious-pdf-reader-child-process, Suspicious PDF Reader Child Process>> |Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.7.0 |4 <<suspicious-pdf-reader-child-process-history, Version history>>
+
+|<<suspicious-powershell-script, Suspicious Powershell Script>> |A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<suspicious-powershell-script-history, Version history>>
+
+|<<suspicious-printspooler-spl-file-created, Suspicious PrintSpooler SPL File Created>> |Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. . |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.10.0 |1
+
+|<<suspicious-printspooler-service-executable-file-creation, Suspicious PrintSpooler Service Executable File Creation>> |Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.10.0 |1
+
+|<<suspicious-process-execution-via-renamed-psexec-executable, Suspicious Process Execution via Renamed PsExec Executable>> |Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
+
+|<<suspicious-process-from-conhost, Suspicious Process from Conhost>> |Identifies a suspicious Conhost child process which may be an indication of code injection activity. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<suspicious-wmic-xsl-script-execution, Suspicious WMIC XSL Script Execution>> |Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<suspicious-werfault-child-process, Suspicious WerFault Child Process>> |A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<suspicious-zoom-child-process, Suspicious Zoom Child Process>> |A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<svchost-spawning-cmd, Svchost spawning Cmd>> |Identifies a suspicious parent-child process relationship with cmd.exe descending from `svchost.exe`. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<svchost-spawning-cmd-history, Version history>>
+
+|<<system-shells-via-services, System Shells via Services>> |Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |5 <<system-shells-via-services-history, Version history>>
+
+|<<tcp-port-8000-activity-to-the-internet, TCP Port 8000 Activity to the Internet>> |TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<tcp-port-8000-activity-to-the-internet-history, Version history>>
+
+|<<telnet-port-activity, Telnet Port Activity>> |Detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |4 <<telnet-port-activity-history, Version history>>
+
+|<<threat-detected-by-okta-threatinsight, Threat Detected by Okta ThreatInsight>> |This rule detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential-based attacks against their organization, such as brute-force and password-spraying attacks. |[Elastic] [Identity] [Okta] [Continuous Monitoring] [SecOps] [Monitoring]  |7.9.0 |2 <<threat-detected-by-okta-threatinsight-history, Version history>>
+
+|<<tor-activity-to-the-internet, Tor Activity to the Internet>> |Detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<tor-activity-to-the-internet-history, Version history>>
+
+|<<trusted-developer-application-usage, Trusted Developer Application Usage>> |Identifies possibly suspicious activity using a trusted Windows developer utility program. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |4 <<trusted-developer-application-usage-history, Version history>>
+
+|<<uac-bypass-via-diskcleanup-scheduled-task-hijack, UAC Bypass via DiskCleanup Scheduled Task Hijack>> |Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.10.0 |1
+
+|<<unusual-aws-command-for-a-user, Unusual AWS Command for a User>> |A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. |[Elastic] [Cloud] [AWS] [ML]  |7.9.0 |2 <<unusual-aws-command-for-a-user-history, Version history>>
+
+|<<unusual-child-process-from-a-system-virtual-process, Unusual Child Process from a System Virtual Process>> |Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<unusual-child-process-of-dns.exe, Unusual Child Process of dns.exe>> |Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
+
+|<<unusual-child-processes-of-rundll32, Unusual Child Processes of RunDLL32>> |Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<unusual-city-for-an-aws-command, Unusual City For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different location from the authorized users. |[Elastic] [Cloud] [AWS] [ML]  |7.9.0 |2 <<unusual-city-for-an-aws-command-history, Version history>>
+
+|<<unusual-country-for-an-aws-command, Unusual Country For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different location from the authorized users. |[Elastic] [Cloud] [AWS] [ML]  |7.9.0 |2 <<unusual-country-for-an-aws-command-history, Version history>>
+
+|<<unusual-dns-activity, Unusual DNS Activity>> |A machine learning job detected a rare and unusual DNS query that indicates network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Elastic] [Network] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-dns-activity-history, Version history>>
+
+|<<unusual-executable-file-creation-by-a-system-critical-process, Unusual Executable File Creation by a System Critical Process>> |Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<unusual-file-modification-by-dns.exe, Unusual File Modification by dns.exe>> |Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
+
+|<<unusual-linux-network-activity, Unusual Linux Network Activity>> |Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-linux-network-activity-history, Version history>>
+
+|<<unusual-linux-network-connection-discovery, Unusual Linux Network Connection Discovery>> |Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-linux-network-port-activity, Unusual Linux Network Port Activity>> |Identifies unusual destination port activity that can indicate command-and- control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-linux-network-port-activity-history, Version history>>
+
+|<<unusual-linux-network-service, Unusual Linux Network Service>> |Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-linux-network-service-history, Version history>>
+
+|<<unusual-linux-process-calling-the-metadata-service, Unusual Linux Process Calling the Metadata Service>> |Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-linux-process-discovery-activity, Unusual Linux Process Discovery Activity>> |Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-linux-system-information-discovery-activity, Unusual Linux System Information Discovery Activity>> |Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-linux-system-network-configuration-discovery, Unusual Linux System Network Configuration Discovery>> |Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-linux-system-owner-or-user-discovery-activity, Unusual Linux System Owner or User Discovery Activity>> |Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-linux-user-calling-the-metadata-service, Unusual Linux User Calling the Metadata Service>> |Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-linux-username, Unusual Linux Username>> |A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-linux-username-history, Version history>>
+
+|<<unusual-linux-web-activity, Unusual Linux Web Activity>> |A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-linux-web-activity-history, Version history>>
+
+|<<unusual-login-activity, Unusual Login Activity>> |Identifies an unusually high number of authentication attempts. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-login-activity-history, Version history>>
+
+|<<unusual-network-activity-from-a-windows-system-binary, Unusual Network Activity from a Windows System Binary>> |Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<unusual-network-connection-via-rundll32, Unusual Network Connection via RunDLL32>> |Identifies unusual instances of `rundll32.exe` making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |6 <<unusual-network-connection-via-rundll32-history, Version history>>
+
+|<<unusual-network-destination-domain-name, Unusual Network Destination Domain Name>> |A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Elastic] [Network] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-network-destination-domain-name-history, Version history>>
+
+|<<unusual-parent-process-for-cmd.exe, Unusual Parent Process for cmd.exe>> |Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.10.0 |1
+
+|<<unusual-parent-child-relationship, Unusual Parent-Child Relationship>> |Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. |[Elastic] [Host] [Windows] [Threat Detection] [Privilege Escalation]  |7.6.0 |5 <<unusual-parent-child-relationship-history, Version history>>
+
+|<<unusual-process-execution-temp, Unusual Process Execution - Temp>> |Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware. |[Elastic] [Host] [Linux] [Threat Detection]  |7.6.0 |5 <<unusual-process-execution-temp-history, Version history>>
+
+|<<unusual-process-for-a-linux-host, Unusual Process For a Linux Host>> |Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-process-for-a-linux-host-history, Version history>>
+
+|<<unusual-process-for-a-windows-host, Unusual Process For a Windows Host>> |Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-process-for-a-windows-host-history, Version history>>
+
+|<<unusual-process-network-connection, Unusual Process Network Connection>> |Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<unusual-process-network-connection-history, Version history>>
+
+|<<unusual-sudo-activity, Unusual Sudo Activity>> |Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts. |[Elastic] [Host] [Linux] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-web-request, Unusual Web Request>> |A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command- and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic. |[Elastic] [Network] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-web-request-history, Version history>>
+
+|<<unusual-web-user-agent, Unusual Web User Agent>> |A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity. |[Elastic] [Network] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-web-user-agent-history, Version history>>
+
+|<<unusual-windows-network-activity, Unusual Windows Network Activity>> |Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-windows-network-activity-history, Version history>>
+
+|<<unusual-windows-path-activity, Unusual Windows Path Activity>> |Identifies processes started from atypical folders in the file system, which may indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-windows-path-activity-history, Version history>>
+
+|<<unusual-windows-process-calling-the-metadata-service, Unusual Windows Process Calling the Metadata Service>> |Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-windows-remote-user, Unusual Windows Remote User>> |A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-windows-remote-user-history, Version history>>
+
+|<<unusual-windows-service, Unusual Windows Service>> |A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-windows-service-history, Version history>>
+
+|<<unusual-windows-user-calling-the-metadata-service, Unusual Windows User Calling the Metadata Service>> |Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.10.0 |1
+
+|<<unusual-windows-user-privilege-elevation-activity, Unusual Windows User Privilege Elevation Activity>> |A machine learning job detected an unusual user context switch, using the `runas` command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like `runas` are more commonly used by domain and network administrators than by regular Windows users. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-windows-user-privilege-elevation-activity-history, Version history>>
+
+|<<unusual-windows-username, Unusual Windows Username>> |A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another. |[Elastic] [Host] [Windows] [Threat Detection] [ML]  |7.7.0 |3 <<unusual-windows-username-history, Version history>>
+
+|<<user-account-creation, User Account Creation>> |Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence]  |7.6.0 |5 <<user-account-creation-history, Version history>>
+
+|<<user-added-as-owner-for-azure-application, User Added as Owner for Azure Application>> |Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
+
+|<<user-added-as-owner-for-azure-service-principal, User Added as Owner for Azure Service Principal>> |Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant. |[Elastic] [Cloud] [Azure] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
+
+|<<user-discovery-via-whoami, User Discovery via Whoami>> |The `whoami` application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access. |[Elastic] [Host] [Linux] [Threat Detection] [Discovery]  |7.6.0 |5 <<user-discovery-via-whoami-history, Version history>>
+
+|<<vnc-virtual-network-computing-from-the-internet, VNC (Virtual Network Computing) from the Internet>> |Detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<vnc-virtual-network-computing-from-the-internet-history, Version history>>
+
+|<<vnc-virtual-network-computing-to-the-internet, VNC (Virtual Network Computing) to the Internet>> |Detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control]  |7.6.0 |5 <<vnc-virtual-network-computing-to-the-internet-history, Version history>>
+
+|<<virtual-machine-fingerprinting, Virtual Machine Fingerprinting>> |An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware. |[Elastic] [Host] [Linux] [Threat Detection] [Discovery]  |7.8.0 |4 <<virtual-machine-fingerprinting-history, Version history>>
+
+|<<volume-shadow-copy-deletion-via-vssadmin, Volume Shadow Copy Deletion via VssAdmin>> |Identifies use of `vssadmin.exe` for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<volume-shadow-copy-deletion-via-vssadmin-history, Version history>>
+
+|<<volume-shadow-copy-deletion-via-wmic, Volume Shadow Copy Deletion via WMIC>> |Identifies use of `wmic.exe` for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.6.0 |5 <<volume-shadow-copy-deletion-via-wmic-history, Version history>>
+
+|<<web-application-suspicious-activity-no-user-agent, Web Application Suspicious Activity: No User Agent>> |A request to a web application server contained no identifying user agent string. |[Elastic] [APM]  |7.6.0 |4 <<web-application-suspicious-activity-no-user-agent-history, Version history>>
+
+|<<web-application-suspicious-activity-post-request-declined, Web Application Suspicious Activity: POST Request Declined>> |A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed. |[Elastic] [APM]  |7.6.0 |4 <<web-application-suspicious-activity-post-request-declined-history, Version history>>
+
+|<<web-application-suspicious-activity-unauthorized-method, Web Application Suspicious Activity: Unauthorized Method>> |A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource. |[Elastic] [APM]  |7.6.0 |4 <<web-application-suspicious-activity-unauthorized-method-history, Version history>>
+
+|<<web-application-suspicious-activity-sqlmap-user-agent, Web Application Suspicious Activity: sqlmap User Agent>> |This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. |[Elastic] [APM]  |7.6.0 |4 <<web-application-suspicious-activity-sqlmap-user-agent-history, Version history>>
+
+|<<whoami-process-activity, Whoami Process Activity>> |Identifies use of `whoami.exe` which displays user, group, and privileges information for the user who is currently logged on to the local system. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery]  |7.6.0 |4 <<whoami-process-activity-history, Version history>>
+
+|<<windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball, Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)>> |A spoofing vulnerability exists in the way Windows CryptoAPI (`Crypt32.dll`) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.7.0 |3 <<windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball-history, Version history>>
+
+|<<windows-script-executing-powershell, Windows Script Executing PowerShell>> |Identifies a PowerShell process launched by either `cscript.exe` or `wscript.exe`. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. |[Elastic] [Host] [Windows] [Threat Detection] [Execution]  |7.6.0 |5 <<windows-script-executing-powershell-history, Version history>>
+
+|<<windows-suspicious-script-object-execution, Windows Suspicious Script Object Execution>> |Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process. |[Elastic] [Host] [Windows] [Threat Detection] [Defense Evasion]  |7.10.0 |1
+
+|<<zoom-meeting-with-no-passcode, Zoom Meeting with no Passcode>> |This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session. |[Elastic] [Application] [Communication] [Zoom] [Continuous Monitoring] [SecOps] [Configuration Audit]  |7.10.0 |1
 
 |==============================================
\ No newline at end of file
diff --git a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc
index 9911bb268e..caddfa440e 100644
--- a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc
@@ -22,6 +22,7 @@ include::rule-details/aws-iam-group-creation.asciidoc[]
 include::rule-details/aws-iam-group-deletion.asciidoc[]
 include::rule-details/aws-iam-password-recovery-requested.asciidoc[]
 include::rule-details/aws-iam-user-addition-to-group.asciidoc[]
+include::rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc[]
 include::rule-details/aws-management-console-root-login.asciidoc[]
 include::rule-details/aws-rds-cluster-creation.asciidoc[]
 include::rule-details/aws-rds-cluster-deletion.asciidoc[]
@@ -30,10 +31,13 @@ include::rule-details/aws-root-login-without-mfa.asciidoc[]
 include::rule-details/aws-s3-bucket-configuration-deletion.asciidoc[]
 include::rule-details/aws-waf-access-control-list-deletion.asciidoc[]
 include::rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc[]
+include::rule-details/abnormally-large-dns-response.asciidoc[]
 include::rule-details/adding-hidden-file-attribute-via-attrib.asciidoc[]
 include::rule-details/administrator-privileges-assigned-to-okta-group.asciidoc[]
 include::rule-details/adobe-hijack-persistence.asciidoc[]
-include::rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc[]
+include::rule-details/adversary-behavior-detected-endpoint-security.asciidoc[]
+include::rule-details/anomalous-kernel-module-activity.asciidoc[]
+include::rule-details/anomalous-linux-compiler-activity.asciidoc[]
 include::rule-details/anomalous-process-for-a-linux-population.asciidoc[]
 include::rule-details/anomalous-process-for-a-windows-population.asciidoc[]
 include::rule-details/anomalous-windows-process-creation.asciidoc[]
@@ -50,18 +54,42 @@ include::rule-details/attempt-to-modify-okta-policy.asciidoc[]
 include::rule-details/attempt-to-reset-mfa-factors-for-okta-user-account.asciidoc[]
 include::rule-details/attempt-to-revoke-okta-api-token.asciidoc[]
 include::rule-details/attempted-bypass-of-okta-mfa.asciidoc[]
+include::rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc[]
+include::rule-details/azure-automation-account-created.asciidoc[]
+include::rule-details/azure-automation-runbook-created-or-modified.asciidoc[]
+include::rule-details/azure-automation-runbook-deleted.asciidoc[]
+include::rule-details/azure-automation-webhook-created.asciidoc[]
+include::rule-details/azure-blob-container-access-level-modification.asciidoc[]
+include::rule-details/azure-command-execution-on-virtual-machine.asciidoc[]
+include::rule-details/azure-conditional-access-policy-modified.asciidoc[]
+include::rule-details/azure-diagnostic-settings-deletion.asciidoc[]
+include::rule-details/azure-event-hub-authorization-rule-created-or-updated.asciidoc[]
+include::rule-details/azure-event-hub-deletion.asciidoc[]
+include::rule-details/azure-external-guest-user-invitation.asciidoc[]
+include::rule-details/azure-firewall-policy-deletion.asciidoc[]
+include::rule-details/azure-global-administrator-role-addition-to-pim-user.asciidoc[]
+include::rule-details/azure-key-vault-modified.asciidoc[]
+include::rule-details/azure-network-watcher-deletion.asciidoc[]
+include::rule-details/azure-privilege-identity-management-role-modified.asciidoc[]
+include::rule-details/azure-resource-group-deletion.asciidoc[]
+include::rule-details/azure-storage-account-key-regenerated.asciidoc[]
 include::rule-details/base16-or-base32-encoding-decoding-activity.asciidoc[]
 include::rule-details/base64-encoding-decoding-activity.asciidoc[]
 include::rule-details/bypass-uac-via-event-viewer.asciidoc[]
 include::rule-details/clearing-windows-event-logs.asciidoc[]
+include::rule-details/cobalt-strike-command-and-control-beacon.asciidoc[]
 include::rule-details/command-prompt-network-connection.asciidoc[]
+include::rule-details/compression-of-keychain-credentials-directories.asciidoc[]
+include::rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc[]
 include::rule-details/connection-to-external-network-via-telnet.asciidoc[]
 include::rule-details/connection-to-internal-network-via-telnet.asciidoc[]
 include::rule-details/creation-of-hidden-files-and-directories.asciidoc[]
-include::rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc[]
-include::rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc[]
-include::rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc[]
-include::rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc[]
+include::rule-details/creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc[]
+include::rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc[]
+include::rule-details/credential-dumping-detected-endpoint-security.asciidoc[]
+include::rule-details/credential-dumping-prevented-endpoint-security.asciidoc[]
+include::rule-details/credential-manipulation-detected-endpoint-security.asciidoc[]
+include::rule-details/credential-manipulation-prevented-endpoint-security.asciidoc[]
 include::rule-details/dns-activity-to-the-internet.asciidoc[]
 include::rule-details/dns-tunneling.asciidoc[]
 include::rule-details/delete-volume-usn-journal-with-fsutil.asciidoc[]
@@ -69,92 +97,155 @@ include::rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc[]
 include::rule-details/deletion-of-bash-command-line-history.asciidoc[]
 include::rule-details/direct-outbound-smb-connection.asciidoc[]
 include::rule-details/disable-windows-firewall-rules-via-netsh.asciidoc[]
-include::rule-details/elastic-endpoint-security.asciidoc[]
 include::rule-details/encoding-or-decoding-files-via-certutil.asciidoc[]
+include::rule-details/endpoint-security.asciidoc[]
 include::rule-details/enumeration-of-kernel-modules.asciidoc[]
+include::rule-details/execution-of-file-written-or-modified-by-microsoft-office.asciidoc[]
+include::rule-details/execution-of-file-written-or-modified-by-pdf-reader.asciidoc[]
+include::rule-details/execution-via-mssql-xp_cmdshell-stored-procedure.asciidoc[]
 include::rule-details/execution-via-regsvcs-regasm.asciidoc[]
-include::rule-details/exploit-detected-elastic-endpoint-security.asciidoc[]
-include::rule-details/exploit-prevented-elastic-endpoint-security.asciidoc[]
+include::rule-details/exploit-detected-endpoint-security.asciidoc[]
+include::rule-details/exploit-prevented-endpoint-security.asciidoc[]
 include::rule-details/external-alerts.asciidoc[]
 include::rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc[]
 include::rule-details/file-deletion-via-shred.asciidoc[]
 include::rule-details/file-permission-modification-in-writable-directory.asciidoc[]
+include::rule-details/gcp-firewall-rule-creation.asciidoc[]
+include::rule-details/gcp-firewall-rule-deletion.asciidoc[]
+include::rule-details/gcp-firewall-rule-modification.asciidoc[]
+include::rule-details/gcp-iam-custom-role-creation.asciidoc[]
+include::rule-details/gcp-iam-role-deletion.asciidoc[]
+include::rule-details/gcp-iam-service-account-key-deletion.asciidoc[]
+include::rule-details/gcp-logging-bucket-deletion.asciidoc[]
+include::rule-details/gcp-logging-sink-deletion.asciidoc[]
+include::rule-details/gcp-logging-sink-modification.asciidoc[]
+include::rule-details/gcp-pub-sub-subscription-creation.asciidoc[]
+include::rule-details/gcp-pub-sub-subscription-deletion.asciidoc[]
+include::rule-details/gcp-pub-sub-topic-creation.asciidoc[]
+include::rule-details/gcp-pub-sub-topic-deletion.asciidoc[]
+include::rule-details/gcp-service-account-creation.asciidoc[]
+include::rule-details/gcp-service-account-deletion.asciidoc[]
+include::rule-details/gcp-service-account-disabled.asciidoc[]
+include::rule-details/gcp-service-account-key-creation.asciidoc[]
+include::rule-details/gcp-storage-bucket-configuration-modification.asciidoc[]
+include::rule-details/gcp-storage-bucket-deletion.asciidoc[]
+include::rule-details/gcp-storage-bucket-permissions-modification.asciidoc[]
+include::rule-details/gcp-virtual-private-cloud-network-deletion.asciidoc[]
+include::rule-details/gcp-virtual-private-cloud-route-creation.asciidoc[]
+include::rule-details/gcp-virtual-private-cloud-route-deletion.asciidoc[]
+include::rule-details/halfbaked-command-and-control-beacon.asciidoc[]
 include::rule-details/hex-encoding-decoding-activity.asciidoc[]
+include::rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc[]
+include::rule-details/hosts-file-modified.asciidoc[]
 include::rule-details/hping-process-activity.asciidoc[]
+include::rule-details/iis-http-logging-disabled.asciidoc[]
 include::rule-details/ipsec-nat-traversal-port-activity.asciidoc[]
 include::rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc[]
+include::rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc[]
+include::rule-details/installutil-process-making-network-connections.asciidoc[]
+include::rule-details/installation-of-custom-shim-databases.asciidoc[]
 include::rule-details/interactive-terminal-spawned-via-perl.asciidoc[]
 include::rule-details/interactive-terminal-spawned-via-python.asciidoc[]
+include::rule-details/kerberos-cached-credentials-dumping.asciidoc[]
 include::rule-details/kernel-module-removal.asciidoc[]
 include::rule-details/local-scheduled-task-commands.asciidoc[]
 include::rule-details/local-service-commands.asciidoc[]
-include::rule-details/malware-detected-elastic-endpoint-security.asciidoc[]
-include::rule-details/malware-prevented-elastic-endpoint-security.asciidoc[]
+include::rule-details/malware-detected-endpoint-security.asciidoc[]
+include::rule-details/malware-prevented-endpoint-security.asciidoc[]
 include::rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc[]
 include::rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc[]
 include::rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc[]
 include::rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc[]
 include::rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc[]
 include::rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc[]
+include::rule-details/microsoft-iis-connection-strings-decryption.asciidoc[]
+include::rule-details/microsoft-iis-service-account-password-dumped.asciidoc[]
+include::rule-details/mimikatz-memssp-log-file-detected.asciidoc[]
 include::rule-details/mknod-process-activity.asciidoc[]
 include::rule-details/modification-of-boot-configuration.asciidoc[]
 include::rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc[]
 include::rule-details/msbuild-making-network-connections.asciidoc[]
+include::rule-details/mshta-making-network-connections.asciidoc[]
+include::rule-details/multi-factor-authentication-disabled-for-an-azure-user.asciidoc[]
 include::rule-details/net-command-via-system-account.asciidoc[]
 include::rule-details/netcat-network-activity.asciidoc[]
 include::rule-details/network-connection-via-certutil.asciidoc[]
 include::rule-details/network-connection-via-compiled-html-file.asciidoc[]
 include::rule-details/network-connection-via-msxsl.asciidoc[]
-include::rule-details/network-connection-via-mshta.asciidoc[]
-include::rule-details/network-connection-via-regsvr.asciidoc[]
+include::rule-details/network-connection-via-registration-utility.asciidoc[]
 include::rule-details/network-connection-via-signed-binary.asciidoc[]
 include::rule-details/network-sniffing-via-tcpdump.asciidoc[]
 include::rule-details/nmap-process-activity.asciidoc[]
 include::rule-details/nping-process-activity.asciidoc[]
 include::rule-details/okta-brute-force-or-password-spraying-attack.asciidoc[]
 include::rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc[]
-include::rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc[]
-include::rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc[]
+include::rule-details/permission-theft-detected-endpoint-security.asciidoc[]
+include::rule-details/permission-theft-prevented-endpoint-security.asciidoc[]
 include::rule-details/persistence-via-kernel-module-modification.asciidoc[]
+include::rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc[]
+include::rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc[]
+include::rule-details/possible-consent-grant-attack-via-azure-registered-application.asciidoc[]
+include::rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc[]
 include::rule-details/possible-okta-dos-attack.asciidoc[]
 include::rule-details/potential-application-shimming-via-sdbinst.asciidoc[]
+include::rule-details/potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc[]
 include::rule-details/potential-dns-tunneling-via-iodine.asciidoc[]
 include::rule-details/potential-disabling-of-selinux.asciidoc[]
 include::rule-details/potential-evasion-via-filter-manager.asciidoc[]
 include::rule-details/potential-modification-of-accessibility-binaries.asciidoc[]
+include::rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc[]
 include::rule-details/potential-shell-via-web-server.asciidoc[]
 include::rule-details/powershell-spawning-cmd.asciidoc[]
 include::rule-details/process-activity-via-compiled-html-file.asciidoc[]
 include::rule-details/process-discovery-via-tasklist.asciidoc[]
-include::rule-details/process-injection-detected-elastic-endpoint-security.asciidoc[]
-include::rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc[]
+include::rule-details/process-injection-detected-endpoint-security.asciidoc[]
+include::rule-details/process-injection-prevented-endpoint-security.asciidoc[]
 include::rule-details/process-injection-by-the-microsoft-build-engine.asciidoc[]
+include::rule-details/process-potentially-masquerading-as-werfault.asciidoc[]
 include::rule-details/proxy-port-activity-to-the-internet.asciidoc[]
 include::rule-details/psexec-network-connection.asciidoc[]
+include::rule-details/public-ip-reconnaissance-activity.asciidoc[]
 include::rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc[]
 include::rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc[]
 include::rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc[]
 include::rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc[]
-include::rule-details/ransomware-detected-elastic-endpoint-security.asciidoc[]
-include::rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc[]
+include::rule-details/ransomware-detected-endpoint-security.asciidoc[]
+include::rule-details/ransomware-prevented-endpoint-security.asciidoc[]
 include::rule-details/rare-aws-error-code.asciidoc[]
+include::rule-details/remote-file-copy-via-teamviewer.asciidoc[]
+include::rule-details/remote-file-download-via-desktopimgdownldr-utility.asciidoc[]
+include::rule-details/remote-file-download-via-mpcmdrun.asciidoc[]
+include::rule-details/remote-ssh-login-enabled-via-systemsetup-command.asciidoc[]
+include::rule-details/renamed-autoit-scripts-interpreter.asciidoc[]
+include::rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc[]
 include::rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc[]
 include::rule-details/smtp-on-port-26-tcp.asciidoc[]
 include::rule-details/smtp-to-the-internet.asciidoc[]
 include::rule-details/sql-traffic-to-the-internet.asciidoc[]
 include::rule-details/ssh-secure-shell-from-the-internet.asciidoc[]
 include::rule-details/ssh-secure-shell-to-the-internet.asciidoc[]
+include::rule-details/service-command-lateral-movement.asciidoc[]
 include::rule-details/setgid-bit-set-via-chmod.asciidoc[]
 include::rule-details/setuid-bit-set-via-chmod.asciidoc[]
 include::rule-details/socat-process-activity.asciidoc[]
 include::rule-details/spike-in-aws-error-messages.asciidoc[]
 include::rule-details/strace-process-activity.asciidoc[]
 include::rule-details/sudoers-file-modification.asciidoc[]
+include::rule-details/suspicious-.net-code-compilation.asciidoc[]
 include::rule-details/suspicious-activity-reported-by-okta-user.asciidoc[]
+include::rule-details/suspicious-endpoint-security-parent-process.asciidoc[]
 include::rule-details/suspicious-ms-office-child-process.asciidoc[]
 include::rule-details/suspicious-ms-outlook-child-process.asciidoc[]
+include::rule-details/suspicious-managed-code-hosting-process.asciidoc[]
 include::rule-details/suspicious-pdf-reader-child-process.asciidoc[]
 include::rule-details/suspicious-powershell-script.asciidoc[]
+include::rule-details/suspicious-printspooler-spl-file-created.asciidoc[]
+include::rule-details/suspicious-printspooler-service-executable-file-creation.asciidoc[]
+include::rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc[]
+include::rule-details/suspicious-process-from-conhost.asciidoc[]
+include::rule-details/suspicious-wmic-xsl-script-execution.asciidoc[]
+include::rule-details/suspicious-werfault-child-process.asciidoc[]
+include::rule-details/suspicious-zoom-child-process.asciidoc[]
 include::rule-details/svchost-spawning-cmd.asciidoc[]
 include::rule-details/system-shells-via-services.asciidoc[]
 include::rule-details/tcp-port-8000-activity-to-the-internet.asciidoc[]
@@ -162,32 +253,52 @@ include::rule-details/telnet-port-activity.asciidoc[]
 include::rule-details/threat-detected-by-okta-threatinsight.asciidoc[]
 include::rule-details/tor-activity-to-the-internet.asciidoc[]
 include::rule-details/trusted-developer-application-usage.asciidoc[]
+include::rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc[]
 include::rule-details/unusual-aws-command-for-a-user.asciidoc[]
+include::rule-details/unusual-child-process-from-a-system-virtual-process.asciidoc[]
+include::rule-details/unusual-child-process-of-dns.exe.asciidoc[]
+include::rule-details/unusual-child-processes-of-rundll32.asciidoc[]
 include::rule-details/unusual-city-for-an-aws-command.asciidoc[]
 include::rule-details/unusual-country-for-an-aws-command.asciidoc[]
 include::rule-details/unusual-dns-activity.asciidoc[]
+include::rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc[]
+include::rule-details/unusual-file-modification-by-dns.exe.asciidoc[]
 include::rule-details/unusual-linux-network-activity.asciidoc[]
+include::rule-details/unusual-linux-network-connection-discovery.asciidoc[]
 include::rule-details/unusual-linux-network-port-activity.asciidoc[]
 include::rule-details/unusual-linux-network-service.asciidoc[]
+include::rule-details/unusual-linux-process-calling-the-metadata-service.asciidoc[]
+include::rule-details/unusual-linux-process-discovery-activity.asciidoc[]
+include::rule-details/unusual-linux-system-information-discovery-activity.asciidoc[]
+include::rule-details/unusual-linux-system-network-configuration-discovery.asciidoc[]
+include::rule-details/unusual-linux-system-owner-or-user-discovery-activity.asciidoc[]
+include::rule-details/unusual-linux-user-calling-the-metadata-service.asciidoc[]
 include::rule-details/unusual-linux-username.asciidoc[]
 include::rule-details/unusual-linux-web-activity.asciidoc[]
 include::rule-details/unusual-login-activity.asciidoc[]
+include::rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc[]
 include::rule-details/unusual-network-connection-via-rundll32.asciidoc[]
 include::rule-details/unusual-network-destination-domain-name.asciidoc[]
+include::rule-details/unusual-parent-process-for-cmd.exe.asciidoc[]
 include::rule-details/unusual-parent-child-relationship.asciidoc[]
 include::rule-details/unusual-process-execution-temp.asciidoc[]
 include::rule-details/unusual-process-for-a-linux-host.asciidoc[]
 include::rule-details/unusual-process-for-a-windows-host.asciidoc[]
 include::rule-details/unusual-process-network-connection.asciidoc[]
+include::rule-details/unusual-sudo-activity.asciidoc[]
 include::rule-details/unusual-web-request.asciidoc[]
 include::rule-details/unusual-web-user-agent.asciidoc[]
 include::rule-details/unusual-windows-network-activity.asciidoc[]
 include::rule-details/unusual-windows-path-activity.asciidoc[]
+include::rule-details/unusual-windows-process-calling-the-metadata-service.asciidoc[]
 include::rule-details/unusual-windows-remote-user.asciidoc[]
 include::rule-details/unusual-windows-service.asciidoc[]
+include::rule-details/unusual-windows-user-calling-the-metadata-service.asciidoc[]
 include::rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc[]
 include::rule-details/unusual-windows-username.asciidoc[]
 include::rule-details/user-account-creation.asciidoc[]
+include::rule-details/user-added-as-owner-for-azure-application.asciidoc[]
+include::rule-details/user-added-as-owner-for-azure-service-principal.asciidoc[]
 include::rule-details/user-discovery-via-whoami.asciidoc[]
 include::rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc[]
 include::rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc[]
@@ -201,3 +312,5 @@ include::rule-details/web-application-suspicious-activity-sqlmap-user-agent.asci
 include::rule-details/whoami-process-activity.asciidoc[]
 include::rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc[]
 include::rule-details/windows-script-executing-powershell.asciidoc[]
+include::rule-details/windows-suspicious-script-object-execution.asciidoc[]
+include::rule-details/zoom-meeting-with-no-passcode.asciidoc[]
diff --git a/docs/detections/prebuilt-rules/rule-details/abnormally-large-dns-response.asciidoc b/docs/detections/prebuilt-rules/rule-details/abnormally-large-dns-response.asciidoc
new file mode 100644
index 0000000000..683bbcfe27
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/abnormally-large-dns-response.asciidoc
@@ -0,0 +1,80 @@
+[[abnormally-large-dns-response]]
+=== Abnormally Large DNS Response
+
+Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* packetbeat-*
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
+* https://github.com/maxpl0it/CVE-2020-1350-DoS
+
+*Tags*:
+
+* Elastic
+* Network
+* Threat Detection
+* Lateral Movement
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.
+
+==== Investigation guide
+
+Detection alerts from this rule indicate an attempt was made to exploit
+CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS
+server. Here are some possible avenues of investigation:
+
+* Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.
+* Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
+* Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
+* Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:(network or network_traffic) and destination.port:53
+and (event.dataset:zeek.dns or type:dns or event.type:connection) and
+network.bytes > 60000
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Lateral Movement
+** ID: TA0008
+** Reference URL: https://attack.mitre.org/tactics/TA0008/
+* Technique:
+** Name: Exploitation of Remote Services
+** ID: T1210
+** Reference URL: https://attack.mitre.org/techniques/T1210/
diff --git a/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc b/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc
index e76b707ed3..c784dd214b 100644
--- a/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc
@@ -24,13 +24,16 @@ in an attempt to evade detection.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<adding-hidden-file-attribute-via-attrib-history, version history>>)
+*Version*: 5 (<<adding-hidden-file-attribute-via-attrib-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -71,6 +74,9 @@ process.name:attrib.exe and process.args:+h
 [[adding-hidden-file-attribute-via-attrib-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-okta-group.asciidoc b/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-okta-group.asciidoc
index ada6a1aa60..24748b2661 100644
--- a/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-okta-group.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-okta-group.asciidoc
@@ -9,6 +9,7 @@ order to assign additional permissions to compromised user accounts.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -28,15 +29,18 @@ order to assign additional permissions to compromised user accounts.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<administrator-privileges-assigned-to-okta-group-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -56,8 +60,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.action:group.privilege.grant
+event.dataset:okta.system and event.action:group.privilege.grant
 ----------------------------------
 
 ==== Threat mapping
@@ -72,3 +75,16 @@ event.action:group.privilege.grant
 ** Name: Account Manipulation
 ** ID: T1098
 ** Reference URL: https://attack.mitre.org/techniques/T1098/
+
+[[administrator-privileges-assigned-to-okta-group-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:group.privilege.grant
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc
index 3efb639906..ee31b5c29d 100644
--- a/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc
@@ -24,13 +24,16 @@ run by Acrobat Reader when it starts.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Persistence
 
-*Version*: 4 (<<adobe-hijack-persistence-history, version history>>)
+*Version*: 5 (<<adobe-hijack-persistence-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ and not process.name:msiexec.exe
 [[adobe-hijack-persistence-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-endpoint-security.asciidoc
similarity index 62%
rename from docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-endpoint-security.asciidoc
index 95b44ba765..455bce3d2c 100644
--- a/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[adversary-behavior-detected-elastic-endpoint-security]]
-=== Adversary Behavior - Detected - Elastic Endpoint Security
+[[adversary-behavior-detected-endpoint-security]]
+=== Adversary Behavior - Detected - Endpoint Security
 
-Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endp
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<adversary-behavior-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<adversary-behavior-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +45,11 @@ endgame.event_subtype_full:rules_engine_event)
 ----------------------------------
 
 
-[[adversary-behavior-detected-elastic-endpoint-security-history]]
+[[adversary-behavior-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Adversary Behavior - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Adversary Behavior - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-kernel-module-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-kernel-module-activity.asciidoc
new file mode 100644
index 0000000000..423711cbdb
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/anomalous-kernel-module-activity.asciidoc
@@ -0,0 +1,69 @@
+[[anomalous-kernel-module-activity]]
+=== Anomalous Kernel Module Activity
+
+Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_rare_kernel_module_arguments
+
+*Machine learning anomaly threshold*: 25
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* references
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection.
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Kernel Modules and Extensions
+** ID: T1215
+** Reference URL: https://attack.mitre.org/techniques/T1215/
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Kernel Modules and Extensions
+** ID: T1215
+** Reference URL: https://attack.mitre.org/techniques/T1215/
diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-linux-compiler-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-linux-compiler-activity.asciidoc
new file mode 100644
index 0000000000..af5ea68eed
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/anomalous-linux-compiler-activity.asciidoc
@@ -0,0 +1,41 @@
+[[anomalous-linux-compiler-activity]]
+=== Anomalous Linux Compiler Activity
+
+Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_rare_user_compiler
+
+*Machine learning anomaly threshold*: 50
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue.
diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc
index ef5bc2490a..445e877ae7 100644
--- a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-linux-population.asciidoc
@@ -30,14 +30,16 @@ common to all or many hosts in a fleet.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<anomalous-process-for-a-linux-population-history, version history>>)
+*Version*: 3 (<<anomalous-process-for-a-linux-population-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -66,6 +68,9 @@ performing.
 [[anomalous-process-for-a-linux-population-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc
index d1ecc4ba91..a3e2a305ba 100644
--- a/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/anomalous-process-for-a-windows-population.asciidoc
@@ -30,14 +30,16 @@ common to all or many hosts in a fleet.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<anomalous-process-for-a-windows-population-history, version history>>)
+*Version*: 3 (<<anomalous-process-for-a-windows-population-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -75,6 +77,9 @@ as malware by anti-malware tools.
 [[anomalous-process-for-a-windows-population-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc
index d6b470783c..c195e077a3 100644
--- a/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/anomalous-windows-process-creation.asciidoc
@@ -35,14 +35,16 @@ emerging malware that is not yet recognized by anti-virus scanners.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<anomalous-windows-process-creation-history, version history>>)
+*Version*: 3 (<<anomalous-windows-process-creation-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -55,6 +57,9 @@ Users running scripts in the course of technical support operations of software
 [[anomalous-windows-process-creation-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc
index aa2d8cd0ba..977e1b0438 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc
@@ -11,6 +11,7 @@ disabling security rules or policies.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -30,15 +31,18 @@ disabling security rules or policies.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-create-okta-api-token-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -57,8 +61,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.action:system.api_token.create
+event.dataset:okta.system and event.action:system.api_token.create
 ----------------------------------
 
 ==== Threat mapping
@@ -73,3 +76,16 @@ event.action:system.api_token.create
 ** Name: Create Account
 ** ID: T1136
 ** Reference URL: https://attack.mitre.org/techniques/T1136/
+
+[[attempt-to-create-okta-api-token-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:system.api_token.create
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-okta-user-account.asciidoc
index 8de333830c..032c3a5e10 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-okta-user-account.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-okta-user-account.asciidoc
@@ -9,6 +9,7 @@ account in order to weaken the authentication requirements for the account.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -28,15 +29,18 @@ account in order to weaken the authentication requirements for the account.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-deactivate-mfa-for-okta-user-account-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -55,8 +59,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.action:user.mfa.factor.deactivate
+event.dataset:okta.system and event.action:user.mfa.factor.deactivate
 ----------------------------------
 
 ==== Threat mapping
@@ -71,3 +74,16 @@ event.action:user.mfa.factor.deactivate
 ** Name: Account Manipulation
 ** ID: T1098
 ** Reference URL: https://attack.mitre.org/techniques/T1098/
+
+[[attempt-to-deactivate-mfa-for-okta-user-account-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:user.mfa.factor.deactivate
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-mfa-rule.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-mfa-rule.asciidoc
index e2897e766f..70bf7f7930 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-mfa-rule.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-mfa-rule.asciidoc
@@ -9,6 +9,7 @@ An adversary may attempt to deactivate an Okta multi-factor authentication
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -28,15 +29,18 @@ An adversary may attempt to deactivate an Okta multi-factor authentication
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-deactivate-okta-mfa-rule-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -55,6 +59,18 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
+event.dataset:okta.system and event.action:policy.rule.deactivate
+----------------------------------
+
+
+[[attempt-to-deactivate-okta-mfa-rule-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.module:okta and event.dataset:okta.system and
 event.action:policy.rule.deactivate
 ----------------------------------
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-policy.asciidoc
index fef1f9519d..24b7436e02 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-policy.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-okta-policy.asciidoc
@@ -11,6 +11,7 @@ the authentication requirements for user accounts.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -30,15 +31,18 @@ the authentication requirements for user accounts.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-deactivate-okta-policy-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -57,8 +61,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.action:policy.lifecycle.deactivate
+event.dataset:okta.system and event.action:policy.lifecycle.deactivate
 ----------------------------------
 
 ==== Threat mapping
@@ -73,3 +76,16 @@ event.action:policy.lifecycle.deactivate
 ** Name: Account Manipulation
 ** ID: T1098
 ** Reference URL: https://attack.mitre.org/techniques/T1098/
+
+[[attempt-to-deactivate-okta-policy-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:policy.lifecycle.deactivate
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-okta-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-okta-policy.asciidoc
index 17c7b52891..d96c650271 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-okta-policy.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-okta-policy.asciidoc
@@ -11,6 +11,7 @@ authentication requirements for user accounts.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -30,15 +31,18 @@ authentication requirements for user accounts.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-delete-okta-policy-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -57,6 +61,18 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
+event.dataset:okta.system and event.action:policy.lifecycle.delete
+----------------------------------
+
+
+[[attempt-to-delete-okta-policy-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.module:okta and event.dataset:okta.system and
 event.action:policy.lifecycle.delete
 ----------------------------------
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc
index fe1f1b3ab2..29eb659033 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc
@@ -25,13 +25,16 @@ receive.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<attempt-to-disable-iptables-or-firewall-history, version history>>)
+*Version*: 4 (<<attempt-to-disable-iptables-or-firewall-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -66,6 +69,9 @@ and process.args:(firewalld or ip6tables or iptables))
 [[attempt-to-disable-iptables-or-firewall-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc
index cc08b5eb3b..49ae579183 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc
@@ -24,13 +24,16 @@ use to disrupt event logging and evade detection by security controls.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<attempt-to-disable-syslog-service-history, version history>>)
+*Version*: 4 (<<attempt-to-disable-syslog-service-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -64,6 +67,9 @@ and process.args:(syslog or rsyslog or "syslog-ng")
 [[attempt-to-disable-syslog-service-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-mfa-rule.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-mfa-rule.asciidoc
index 253229af84..d539412211 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-mfa-rule.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-mfa-rule.asciidoc
@@ -9,6 +9,7 @@ rule in order to remove or weaken an organization's security controls.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -28,15 +29,18 @@ rule in order to remove or weaken an organization's security controls.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-modify-okta-mfa-rule-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -55,6 +59,19 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
+event.dataset:okta.system and event.action:(policy.rule.update or
+policy.rule.delete)
+----------------------------------
+
+
+[[attempt-to-modify-okta-mfa-rule-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.module:okta and event.dataset:okta.system and
 event.action:(policy.rule.update or policy.rule.delete)
 ----------------------------------
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-network-zone.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-network-zone.asciidoc
index e2c2319fd5..f04ee7c85d 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-network-zone.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-network-zone.asciidoc
@@ -11,6 +11,7 @@ organization's security controls.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: medium
 
@@ -30,15 +31,18 @@ organization's security controls.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
-* SecOps
-* Network
 * Continuous Monitoring
+* SecOps
+* Network Security
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-modify-okta-network-zone-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -57,6 +61,20 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
+event.dataset:okta.system and event.action:(zone.update or
+zone.deactivate or zone.delete or network_zone.rule.disabled or
+zone.remove_blacklist)
+----------------------------------
+
+
+[[attempt-to-modify-okta-network-zone-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.module:okta and event.dataset:okta.system and
 event.action:(zone.update or zone.deactivate or zone.delete or
 network_zone.rule.disabled or zone.remove_blacklist)
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-policy.asciidoc
index b129bd6762..c43b60b0c8 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-policy.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-okta-policy.asciidoc
@@ -11,6 +11,7 @@ authentication requirements for user accounts.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -30,15 +31,18 @@ authentication requirements for user accounts.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-modify-okta-policy-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -57,6 +61,18 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
+event.dataset:okta.system and event.action:policy.lifecycle.update
+----------------------------------
+
+
+[[attempt-to-modify-okta-policy-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.module:okta and event.dataset:okta.system and
 event.action:policy.lifecycle.update
 ----------------------------------
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-okta-user-account.asciidoc
index 5bb25e6ca3..fb59ad4d9c 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-okta-user-account.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-okta-user-account.asciidoc
@@ -11,6 +11,7 @@ environment.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -30,15 +31,18 @@ environment.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-reset-mfa-factors-for-okta-user-account-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -57,8 +61,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.action:user.mfa.factor.reset_all
+event.dataset:okta.system and event.action:user.mfa.factor.reset_all
 ----------------------------------
 
 ==== Threat mapping
@@ -73,3 +76,16 @@ event.action:user.mfa.factor.reset_all
 ** Name: Account Manipulation
 ** ID: T1098
 ** Reference URL: https://attack.mitre.org/techniques/T1098/
+
+[[attempt-to-reset-mfa-factors-for-okta-user-account-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:user.mfa.factor.reset_all
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc
index 7d5b8e78a7..f41a0e621d 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc
@@ -10,6 +10,7 @@ operations.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: low
 
@@ -29,15 +30,18 @@ operations.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempt-to-revoke-okta-api-token-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -56,8 +60,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.action:system.api_token.revoke
+event.dataset:okta.system and event.action:system.api_token.revoke
 ----------------------------------
 
 ==== Threat mapping
@@ -72,3 +75,16 @@ event.action:system.api_token.revoke
 ** Name: Account Access Removal
 ** ID: T1531
 ** Reference URL: https://attack.mitre.org/techniques/T1531/
+
+[[attempt-to-revoke-okta-api-token-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:system.api_token.revoke
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc
index 0b97842154..58f5e74fba 100644
--- a/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc
@@ -10,6 +10,7 @@ to an application. This rule detects when an Okta MFA bypass attempt occurs.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: high
 
@@ -29,15 +30,18 @@ to an application. This rule detects when an Okta MFA bypass attempt occurs.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<attempted-bypass-of-okta-mfa-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -51,8 +55,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.action:user.mfa.attempt_bypass
+event.dataset:okta.system and event.action:user.mfa.attempt_bypass
 ----------------------------------
 
 ==== Threat mapping
@@ -67,3 +70,16 @@ event.action:user.mfa.attempt_bypass
 ** Name: Two-Factor Authentication Interception
 ** ID: T1111
 ** Reference URL: https://attack.mitre.org/techniques/T1111/
+
+[[attempted-bypass-of-okta-mfa-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:user.mfa.attempt_bypass
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc
new file mode 100644
index 0000000000..38d1af5876
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc
@@ -0,0 +1,68 @@
+[[attempts-to-brute-force-an-okta-user-account]]
+=== Attempts to Brute Force an Okta User Account
+
+Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.
+
+*Rule type*: threshold
+
+*Rule indices*:
+
+* filebeat-*
+* logs-okta*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-180m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://developer.okta.com/docs/reference/api/system-log/
+* https://developer.okta.com/docs/reference/api/event-types/
+
+*Tags*:
+
+* Elastic
+* Identity
+* Okta
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Okta Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:okta.system and event.action:user.account.lock
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Brute Force
+** ID: T1110
+** Reference URL: https://attack.mitre.org/techniques/T1110/
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-access-secret-in-secrets-manager.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-access-secret-in-secrets-manager.asciidoc
index 44607c3fd3..a97ab87858 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-access-secret-in-secrets-manager.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-access-secret-in-secrets-manager.asciidoc
@@ -9,6 +9,7 @@ certificates, credentials, or other sensitive material.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: high
 
@@ -27,16 +28,19 @@ certificates, credentials, or other sensitive material.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Data Protection
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-access-secret-in-secrets-manager-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Nick Jones, Elastic
 
 *Rule license*: Elastic License
@@ -73,3 +77,10 @@ event.action:GetSecretValue
 ** Name: Steal Application Access Token
 ** ID: T1528
 ** Reference URL: https://attack.mitre.org/techniques/T1528/
+
+[[aws-access-secret-in-secrets-manager-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc
index 1d4de575b5..1e0b74e657 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc
@@ -9,6 +9,7 @@ delivery of log data.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -27,16 +28,19 @@ delivery of log data.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-cloudtrail-log-created-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -74,3 +78,10 @@ event.provider:cloudtrail.amazonaws.com and event.outcome:success
 ** Name: Data from Cloud Storage Object
 ** ID: T1530
 ** Reference URL: https://attack.mitre.org/techniques/T1530/
+
+[[aws-cloudtrail-log-created-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc
index ce1416101d..d8146e12a1 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc
@@ -9,6 +9,7 @@ an attempt to evade defenses.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -27,16 +28,19 @@ an attempt to evade defenses.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-cloudtrail-log-deleted-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -74,3 +78,10 @@ event.provider:cloudtrail.amazonaws.com and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-cloudtrail-log-deleted-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc
index 6a68826bd1..27f787b124 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc
@@ -10,6 +10,7 @@ defenses.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -28,16 +29,19 @@ defenses.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-cloudtrail-log-suspended-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -75,3 +79,10 @@ event.provider:cloudtrail.amazonaws.com and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-cloudtrail-log-suspended-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc
index 3c0d468462..48d240e97b 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc
@@ -9,6 +9,7 @@ log files.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -27,16 +28,19 @@ log files.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-cloudtrail-log-updated-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -84,3 +88,10 @@ event.provider:cloudtrail.amazonaws.com and event.outcome:success
 ** Name: Data from Cloud Storage Object
 ** ID: T1530
 ** Reference URL: https://attack.mitre.org/techniques/T1530/
+
+[[aws-cloudtrail-log-updated-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc
index 26b73ad7b8..021471b53c 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc
@@ -9,6 +9,7 @@ alarms in an attempt to evade defenses.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -27,16 +28,19 @@ alarms in an attempt to evade defenses.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-cloudwatch-alarm-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -73,3 +77,10 @@ event.provider:monitoring.amazonaws.com and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-cloudwatch-alarm-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc
index 6a02116b89..f287fcaaf1 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc
@@ -10,6 +10,7 @@ also permanently deleted.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -28,16 +29,19 @@ also permanently deleted.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-cloudwatch-log-group-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -84,3 +88,10 @@ event.provider:logs.amazonaws.com and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-cloudwatch-log-group-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc
index 37105e5bb2..792b3b04de 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc
@@ -9,6 +9,7 @@ deletes all associated archived log events with the stream.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -27,16 +28,19 @@ deletes all associated archived log events with the stream.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-cloudwatch-log-stream-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -84,3 +88,10 @@ event.provider:logs.amazonaws.com and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-cloudwatch-log-stream-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-config-service-tampering.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-config-service-tampering.asciidoc
index d1cd6049fd..dba590323b 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-config-service-tampering.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-config-service-tampering.asciidoc
@@ -10,6 +10,7 @@ posture of an account and/or its workload instances.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -28,16 +29,19 @@ posture of an account and/or its workload instances.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-config-service-tampering-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -76,3 +80,10 @@ event.provider: config.amazonaws.com
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-config-service-tampering-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc
index 355e7cd55a..529abd2524 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc
@@ -9,6 +9,7 @@ resources.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: high
 
@@ -27,16 +28,19 @@ resources.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-configuration-recorder-stopped-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -74,3 +78,10 @@ and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-configuration-recorder-stopped-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc
index c743e204a4..fda8f3ee5a 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc
@@ -10,6 +10,7 @@ encryption status of your existing volumes.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -29,16 +30,19 @@ encryption status of your existing volumes.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Data Protection
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-ec2-encryption-disabled-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -77,3 +81,10 @@ event.outcome:success
 ** Name: Stored Data Manipulation
 ** ID: T1492
 ** Reference URL: https://attack.mitre.org/techniques/T1492/
+
+[[aws-ec2-encryption-disabled-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-flow-log-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-flow-log-deletion.asciidoc
index f4d0402403..93e9fc0ea1 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-flow-log-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-flow-log-deletion.asciidoc
@@ -9,6 +9,7 @@ Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: high
 
@@ -27,16 +28,19 @@ Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-ec2-flow-log-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -73,3 +77,10 @@ event.provider:ec2.amazonaws.com and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-ec2-flow-log-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc
index d783a0ffcb..a168812b07 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc
@@ -9,6 +9,7 @@ control list (ACL) or an entry in a network ACL with a specified rule number.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -29,16 +30,19 @@ control list (ACL) or an entry in a network ACL with a specified rule number.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Network
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Network Security
 
-*Version*: 1
+*Version*: 2 (<<aws-ec2-network-access-control-list-creation-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -77,3 +81,10 @@ event.outcome:success
 ** Name: Redundant Access
 ** ID: T1108
 ** Reference URL: https://attack.mitre.org/techniques/T1108/
+
+[[aws-ec2-network-access-control-list-creation-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc
index d655f1d1d6..7fac027087 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc
@@ -9,6 +9,7 @@ control list (ACL) or one of its ingress/egress entries.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -29,16 +30,19 @@ control list (ACL) or one of its ingress/egress entries.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Network
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Network Security
 
-*Version*: 1
+*Version*: 2 (<<aws-ec2-network-access-control-list-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -77,3 +81,10 @@ event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-ec2-network-access-control-list-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc
index e84dc011c0..ba139ca7a3 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc
@@ -11,6 +11,7 @@ with an unauthorized or unexpected AWS account.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -29,16 +30,19 @@ with an unauthorized or unexpected AWS account.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Asset Visibility
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-ec2-snapshot-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -58,8 +62,7 @@ The AWS Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:aws and event.dataset:aws.cloudtrail and
-event.provider:ec2.amazonaws.com and
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and
 event.action:ModifySnapshotAttribute
 ----------------------------------
 
@@ -75,3 +78,17 @@ event.action:ModifySnapshotAttribute
 ** Name: Transfer Data to Cloud Account
 ** ID: T1537
 ** Reference URL: https://attack.mitre.org/techniques/T1537/
+
+[[aws-ec2-snapshot-activity-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:aws and event.dataset:aws.cloudtrail and
+event.provider:ec2.amazonaws.com and
+event.action:ModifySnapshotAttribute
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc
index 9ddc592f83..0069b8399d 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc
@@ -11,6 +11,7 @@ compromised instance via reverse-shell using system only commands.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -28,16 +29,19 @@ compromised instance via reverse-shell using system only commands.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Logging
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Log Auditing
 
-*Version*: 1
+*Version*: 2 (<<aws-execution-via-system-manager-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -58,9 +62,8 @@ The AWS Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:aws and event.dataset:aws.cloudtrail and
-event.provider:ssm.amazonaws.com and event.action:SendCommand and
-event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and
+event.action:SendCommand and event.outcome:success
 ----------------------------------
 
 ==== Threat mapping
@@ -85,3 +88,17 @@ event.outcome:success
 ** Name: PowerShell
 ** ID: T1086
 ** Reference URL: https://attack.mitre.org/techniques/T1086/
+
+[[aws-execution-via-system-manager-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:aws and event.dataset:aws.cloudtrail and
+event.provider:ssm.amazonaws.com and event.action:SendCommand and
+event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc
index 8b56e6e4b7..293ca5a3b9 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc
@@ -9,6 +9,7 @@ GuardDuty stops monitoring the environment and all existing findings are lost.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: high
 
@@ -27,16 +28,19 @@ GuardDuty stops monitoring the environment and all existing findings are lost.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-guardduty-detector-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -74,3 +78,10 @@ event.provider:guardduty.amazonaws.com and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-guardduty-detector-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc
index d07673b646..f02251b65b 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc
@@ -10,6 +10,7 @@ the privileges of that role.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -27,16 +28,19 @@ the privileges of that role.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-iam-assume-role-policy-update-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -57,8 +61,7 @@ The AWS Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:aws and event.dataset:aws.cloudtrail and
-event.provider:iam.amazonaws.com and
+event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and
 event.action:UpdateAssumeRolePolicy and event.outcome:success
 ----------------------------------
 
@@ -74,3 +77,17 @@ event.action:UpdateAssumeRolePolicy and event.outcome:success
 ** Name: Valid Accounts
 ** ID: T1078
 ** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+[[aws-iam-assume-role-policy-update-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:aws and event.dataset:aws.cloudtrail and
+event.provider:iam.amazonaws.com and
+event.action:UpdateAssumeRolePolicy and event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc
index 4156b67048..f9431368a6 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc
@@ -11,6 +11,7 @@ if a role exists before attempting to assume or hijack the discovered role.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -29,16 +30,19 @@ if a role exists before attempting to assume or hijack the discovered role.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-iam-brute-force-of-assume-role-policy-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -52,8 +56,7 @@ The AWS Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:aws and event.dataset:aws.cloudtrail and
-event.provider:iam.amazonaws.com and
+event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and
 event.action:UpdateAssumeRolePolicy and
 aws.cloudtrail.error_code:MalformedPolicyDocumentException and
 event.outcome:failure
@@ -71,3 +74,19 @@ event.outcome:failure
 ** Name: Brute Force
 ** ID: T1110
 ** Reference URL: https://attack.mitre.org/techniques/T1110/
+
+[[aws-iam-brute-force-of-assume-role-policy-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:aws and event.dataset:aws.cloudtrail and
+event.provider:iam.amazonaws.com and
+event.action:UpdateAssumeRolePolicy and
+aws.cloudtrail.error_code:MalformedPolicyDocumentException and
+event.outcome:failure
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc
index a4cd6b2ad9..a24218558a 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc
@@ -11,6 +11,7 @@ be deactivated before it can be deleted.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -29,16 +30,19 @@ be deactivated before it can be deleted.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-iam-deactivation-of-mfa-device-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -76,3 +80,10 @@ event.provider:iam.amazonaws.com and event.outcome:success
 ** Name: Account Access Removal
 ** ID: T1531
 ** Reference URL: https://attack.mitre.org/techniques/T1531/
+
+[[aws-iam-deactivation-of-mfa-device-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc
index 5028a38b9a..db18bf85c7 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc
@@ -10,6 +10,7 @@ automatically have the permissions that are assigned to the group.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -28,16 +29,19 @@ automatically have the permissions that are assigned to the group.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-iam-group-creation-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -75,3 +79,10 @@ event.provider:iam.amazonaws.com and event.outcome:success
 ** Name: Redundant Access
 ** ID: T1108
 ** Reference URL: https://attack.mitre.org/techniques/T1108/
+
+[[aws-iam-group-creation-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc
index 940d3d9a10..d75cf2af0b 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc
@@ -10,6 +10,7 @@ members of the group, only the group structure.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -28,16 +29,19 @@ members of the group, only the group structure.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-iam-group-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -75,3 +79,10 @@ event.provider:iam.amazonaws.com and event.outcome:success
 ** Name: Account Access Removal
 ** ID: T1531
 ** Reference URL: https://attack.mitre.org/techniques/T1531/
+
+[[aws-iam-group-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc
index 8346a93651..2042bba17e 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc
@@ -9,6 +9,7 @@ unauthorized AWS access by abusing password recovery mechanisms.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -26,16 +27,19 @@ unauthorized AWS access by abusing password recovery mechanisms.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-iam-password-recovery-requested-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -72,3 +76,10 @@ event.provider:signin.amazonaws.com and event.outcome:success
 ** Name: Valid Accounts
 ** ID: T1078
 ** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+[[aws-iam-password-recovery-requested-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc
index 3eeb8d26a1..2f61650a36 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc
@@ -9,6 +9,7 @@ Access Management (IAM).
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -26,16 +27,19 @@ Access Management (IAM).
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-iam-user-addition-to-group-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -83,3 +87,10 @@ event.provider:iam.amazonaws.com and event.outcome:success
 ** Name: Account Manipulation
 ** ID: T1098
 ** Reference URL: https://attack.mitre.org/techniques/T1098/
+
+[[aws-iam-user-addition-to-group-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc
new file mode 100644
index 0000000000..d0d2723850
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc
@@ -0,0 +1,73 @@
+[[aws-management-console-brute-force-of-root-user-identity]]
+=== AWS Management Console Brute Force of Root User Identity
+
+Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.
+
+*Rule type*: threshold
+
+*Rule indices*:
+
+* filebeat-*
+* logs-aws*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-20m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
+
+*Tags*:
+
+* Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.
+
+==== Investigation guide
+
+The AWS Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com
+and event.action:ConsoleLogin and
+aws.cloudtrail.user_identity.type:Root and event.outcome:failure
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Brute Force
+** ID: T1110
+** Reference URL: https://attack.mitre.org/techniques/T1110/
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc
index cf8bdb31f7..a313915e9d 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc
@@ -8,6 +8,7 @@ Identifies a successful login to the AWS Management Console by the Root user.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: high
 
@@ -25,16 +26,19 @@ Identifies a successful login to the AWS Management Console by the Root user.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-management-console-root-login-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -56,9 +60,9 @@ The AWS Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.action:ConsoleLogin and event.module:aws and
-event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com
-and aws.cloudtrail.user_identity.type:Root and event.outcome:success
+event.action:ConsoleLogin and event.dataset:aws.cloudtrail and
+event.provider:signin.amazonaws.com and
+aws.cloudtrail.user_identity.type:Root and event.outcome:success
 ----------------------------------
 
 ==== Threat mapping
@@ -83,3 +87,17 @@ and aws.cloudtrail.user_identity.type:Root and event.outcome:success
 ** Name: Valid Accounts
 ** ID: T1078
 ** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+[[aws-management-console-root-login-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.action:ConsoleLogin and event.module:aws and
+event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com
+and aws.cloudtrail.user_identity.type:Root and event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc
index 74754a4ba7..80fa6decc8 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc
@@ -9,6 +9,7 @@ Aurora DB cluster or global database spread across multiple regions.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -29,16 +30,19 @@ Aurora DB cluster or global database spread across multiple regions.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Asset Visibility
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-rds-cluster-creation-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -87,3 +91,10 @@ event.outcome:success
 ** Name: Redundant Access
 ** ID: T1108
 ** Reference URL: https://attack.mitre.org/techniques/T1108/
+
+[[aws-rds-cluster-creation-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-deletion.asciidoc
index cebc7e04d7..02e3374085 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-deletion.asciidoc
@@ -9,6 +9,7 @@ database cluster or global database cluster.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -29,16 +30,19 @@ database cluster or global database cluster.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Asset Visibility
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-rds-cluster-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -77,3 +81,10 @@ event.outcome:success
 ** Name: Data Destruction
 ** ID: T1485
 ** Reference URL: https://attack.mitre.org/techniques/T1485/
+
+[[aws-rds-cluster-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc
index bb7a053075..59945b0be6 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc
@@ -8,6 +8,7 @@ Identifies that an Amazon Relational Database Service (RDS) cluster or instance
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -28,16 +29,19 @@ Identifies that an Amazon Relational Database Service (RDS) cluster or instance
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Asset Visibility
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-rds-instance-cluster-stoppage-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -76,3 +80,10 @@ event.outcome:success
 ** Name: Service Stop
 ** ID: T1489
 ** Reference URL: https://attack.mitre.org/techniques/T1489/
+
+[[aws-rds-instance-cluster-stoppage-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc
index 574cd29851..b6ccd592ac 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc
@@ -10,10 +10,11 @@ should be protected by MFA.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
-*Severity*: low
+*Severity*: high
 
-*Risk score*: 21
+*Risk score*: 73
 
 *Runs every*: 10 minutes
 
@@ -27,16 +28,19 @@ should be protected by MFA.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-root-login-without-mfa-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -56,8 +60,8 @@ The AWS Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:aws and event.dataset:aws.cloudtrail and
-event.provider:signin.amazonaws.com and event.action:ConsoleLogin and
+event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com
+and event.action:ConsoleLogin and
 aws.cloudtrail.user_identity.type:Root and
 aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and
 event.outcome:success
@@ -75,3 +79,19 @@ event.outcome:success
 ** Name: Valid Accounts
 ** ID: T1078
 ** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+[[aws-root-login-without-mfa-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:aws and event.dataset:aws.cloudtrail and
+event.provider:signin.amazonaws.com and event.action:ConsoleLogin and
+aws.cloudtrail.user_identity.type:Root and
+aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and
+event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc
index 2d03fb1905..aea76284c6 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc
@@ -9,6 +9,7 @@ configuration components.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: low
 
@@ -30,16 +31,19 @@ configuration components.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
+* Continuous Monitoring
 * SecOps
 * Asset Visibility
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<aws-s3-bucket-configuration-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -79,3 +83,10 @@ and event.outcome:success
 ** Name: Indicator Removal on Host
 ** ID: T1070
 ** Reference URL: https://attack.mitre.org/techniques/T1070/
+
+[[aws-s3-bucket-configuration-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc
index 7bc43568dc..cf5d2b4280 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc
@@ -9,6 +9,7 @@ access control list.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -27,16 +28,19 @@ access control list.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Network
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Network Security
 
-*Version*: 1
+*Version*: 2 (<<aws-waf-access-control-list-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -74,3 +78,10 @@ event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-waf-access-control-list-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc
index e3d7f2f3be..ca1ba53151 100644
--- a/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc
@@ -9,6 +9,7 @@ or rule group.
 *Rule indices*:
 
 * filebeat-*
+* logs-aws*
 
 *Severity*: medium
 
@@ -27,16 +28,19 @@ or rule group.
 
 *Tags*:
 
-* AWS
 * Elastic
-* SecOps
-* Network
+* Cloud
+* AWS
 * Continuous Monitoring
+* SecOps
+* Network Security
 
-*Version*: 1
+*Version*: 2 (<<aws-waf-rule-or-rule-group-deletion-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -58,8 +62,8 @@ The AWS Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:aws and event.dataset:aws.cloudtrail and
-event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
+event.dataset:aws.cloudtrail and event.action:(DeleteRule or
+DeleteRuleGroup) and event.outcome:success
 ----------------------------------
 
 ==== Threat mapping
@@ -74,3 +78,16 @@ event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
 ** Name: Disabling Security Tools
 ** ID: T1089
 ** Reference URL: https://attack.mitre.org/techniques/T1089/
+
+[[aws-waf-rule-or-rule-group-deletion-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:aws and event.dataset:aws.cloudtrail and
+event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-automation-account-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-automation-account-created.asciidoc
new file mode 100644
index 0000000000..5c8907d4f2
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-automation-account-created.asciidoc
@@ -0,0 +1,81 @@
+[[azure-automation-account-created]]
+=== Azure Automation Account Created
+
+Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor
+* https://github.com/hausec/PowerZure
+* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
+* https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-automation-runbook-created-or-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-automation-runbook-created-or-modified.asciidoc
new file mode 100644
index 0000000000..5bafd12b26
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-automation-runbook-created-or-modified.asciidoc
@@ -0,0 +1,61 @@
+[[azure-automation-runbook-created-or-modified]]
+=== Azure Automation Runbook Created or Modified
+
+Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor
+* https://github.com/hausec/PowerZure
+* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
+* https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or
+MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or
+MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and
+event.outcome:Success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-automation-runbook-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-automation-runbook-deleted.asciidoc
new file mode 100644
index 0000000000..57ed049c3a
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-automation-runbook-deleted.asciidoc
@@ -0,0 +1,59 @@
+[[azure-automation-runbook-deleted]]
+=== Azure Automation Runbook Deleted
+
+Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor
+* https://github.com/hausec/PowerZure
+* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
+* https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and
+event.outcome:Success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-automation-webhook-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-automation-webhook-created.asciidoc
new file mode 100644
index 0000000000..2f1dca87f4
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-automation-webhook-created.asciidoc
@@ -0,0 +1,60 @@
+[[azure-automation-webhook-created]]
+=== Azure Automation Webhook Created
+
+Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor
+* https://github.com/hausec/PowerZure
+* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
+* https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or
+MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and
+event.outcome:Success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-blob-container-access-level-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-blob-container-access-level-modification.asciidoc
new file mode 100644
index 0000000000..46c0e43688
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-blob-container-access-level-modification.asciidoc
@@ -0,0 +1,82 @@
+[[azure-blob-container-access-level-modification]]
+=== Azure Blob Container Access Level Modification
+
+Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Asset Visibility
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: Cloud Service Discovery
+** ID: T1526
+** Reference URL: https://attack.mitre.org/techniques/T1526/
+
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Exploit Public-Facing Application
+** ID: T1190
+** Reference URL: https://attack.mitre.org/techniques/T1190/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-command-execution-on-virtual-machine.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-command-execution-on-virtual-machine.asciidoc
new file mode 100644
index 0000000000..2209fb4724
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-command-execution-on-virtual-machine.asciidoc
@@ -0,0 +1,74 @@
+[[azure-command-execution-on-virtual-machine]]
+=== Azure Command Execution on Virtual Machine
+
+Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://adsecurity.org/?p=4277
+* https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
+* https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-conditional-access-policy-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-conditional-access-policy-modified.asciidoc
new file mode 100644
index 0000000000..d70c4aeef1
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-conditional-access-policy-modified.asciidoc
@@ -0,0 +1,69 @@
+[[azure-conditional-access-policy-modified]]
+=== Azure Conditional Access Policy Modified
+
+Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:(azure.activitylogs or azure.auditlogs) and (
+azure.activitylogs.operation_name:"Update policy" or
+azure.auditlogs.operation_name:"Update policy" ) and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-diagnostic-settings-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-diagnostic-settings-deletion.asciidoc
new file mode 100644
index 0000000000..16ab0246fd
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-diagnostic-settings-deletion.asciidoc
@@ -0,0 +1,72 @@
+[[azure-diagnostic-settings-deletion]]
+=== Azure Diagnostic Settings Deletion
+
+Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Monitoring
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Disabling Security Tools
+** ID: T1089
+** Reference URL: https://attack.mitre.org/techniques/T1089/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-event-hub-authorization-rule-created-or-updated.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-event-hub-authorization-rule-created-or-updated.asciidoc
new file mode 100644
index 0000000000..382af07849
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-event-hub-authorization-rule-created-or-updated.asciidoc
@@ -0,0 +1,82 @@
+[[azure-event-hub-authorization-rule-created-or-updated]]
+=== Azure Event Hub Authorization Rule Created or Updated
+
+Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Collection
+** ID: TA0009
+** Reference URL: https://attack.mitre.org/tactics/TA0009/
+* Technique:
+** Name: Data from Cloud Storage Object
+** ID: T1530
+** Reference URL: https://attack.mitre.org/techniques/T1530/
+
+
+* Tactic:
+** Name: Exfiltration
+** ID: TA0010
+** Reference URL: https://attack.mitre.org/tactics/TA0010/
+* Technique:
+** Name: Transfer Data to Cloud Account
+** ID: T1537
+** Reference URL: https://attack.mitre.org/techniques/T1537/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-event-hub-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-event-hub-deletion.asciidoc
new file mode 100644
index 0000000000..3588a54611
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-event-hub-deletion.asciidoc
@@ -0,0 +1,74 @@
+[[azure-event-hub-deletion]]
+=== Azure Event Hub Deletion
+
+Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about
+* https://azure.microsoft.com/en-in/services/event-hubs/
+* https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Disabling Security Tools
+** ID: T1089
+** Reference URL: https://attack.mitre.org/techniques/T1089/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-external-guest-user-invitation.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-external-guest-user-invitation.asciidoc
new file mode 100644
index 0000000000..cf28485242
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-external-guest-user-invitation.asciidoc
@@ -0,0 +1,83 @@
+[[azure-external-guest-user-invitation]]
+=== Azure External Guest User Invitation
+
+Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.auditlogs and
+azure.auditlogs.operation_name:"Invite external user" and
+azure.auditlogs.properties.target_resources.*.display_name:guest and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-firewall-policy-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-firewall-policy-deletion.asciidoc
new file mode 100644
index 0000000000..a0003d99ef
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-firewall-policy-deletion.asciidoc
@@ -0,0 +1,71 @@
+[[azure-firewall-policy-deletion]]
+=== Azure Firewall Policy Deletion
+
+Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Network Security
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Disabling Security Tools
+** ID: T1089
+** Reference URL: https://attack.mitre.org/techniques/T1089/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-global-administrator-role-addition-to-pim-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-global-administrator-role-addition-to-pim-user.asciidoc
new file mode 100644
index 0000000000..0902bd16fa
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-global-administrator-role-addition-to-pim-user.asciidoc
@@ -0,0 +1,76 @@
+[[azure-global-administrator-role-addition-to-pim-user]]
+=== Azure Global Administrator Role Addition to PIM User
+
+Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.auditlogs and
+azure.auditlogs.properties.category:RoleManagement and
+azure.auditlogs.operation_name:("Add eligible member to role in PIM
+completed (permanent)" or "Add member to role in PIM completed
+(timebound)") and
+azure.auditlogs.properties.target_resources.*.display_name:"Global
+Administrator" and event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-key-vault-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-key-vault-modified.asciidoc
new file mode 100644
index 0000000000..b1d44487d3
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-key-vault-modified.asciidoc
@@ -0,0 +1,73 @@
+[[azure-key-vault-modified]]
+=== Azure Key Vault Modified
+
+Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts
+* https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Data Protection
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and
+azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Credentials in Files
+** ID: T1081
+** Reference URL: https://attack.mitre.org/techniques/T1081/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-network-watcher-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-network-watcher-deletion.asciidoc
new file mode 100644
index 0000000000..05b28859dc
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-network-watcher-deletion.asciidoc
@@ -0,0 +1,71 @@
+[[azure-network-watcher-deletion]]
+=== Azure Network Watcher Deletion
+
+Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Network Security
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Disabling Security Tools
+** ID: T1089
+** Reference URL: https://attack.mitre.org/techniques/T1089/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-privilege-identity-management-role-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-privilege-identity-management-role-modified.asciidoc
new file mode 100644
index 0000000000..462e1d210d
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-privilege-identity-management-role-modified.asciidoc
@@ -0,0 +1,79 @@
+[[azure-privilege-identity-management-role-modified]]
+=== Azure Privilege Identity Management Role Modified
+
+Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles
+* https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.auditlogs and
+azure.auditlogs.operation_name:"Update role setting in PIM" and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-resource-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-resource-group-deletion.asciidoc
new file mode 100644
index 0000000000..901ce47149
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-resource-group-deletion.asciidoc
@@ -0,0 +1,82 @@
+[[azure-resource-group-deletion]]
+=== Azure Resource Group Deletion
+
+Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Data Destruction
+** ID: T1485
+** Reference URL: https://attack.mitre.org/techniques/T1485/
+
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Disabling Security Tools
+** ID: T1089
+** Reference URL: https://attack.mitre.org/techniques/T1089/
diff --git a/docs/detections/prebuilt-rules/rule-details/azure-storage-account-key-regenerated.asciidoc b/docs/detections/prebuilt-rules/rule-details/azure-storage-account-key-regenerated.asciidoc
new file mode 100644
index 0000000000..f921fe19e5
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/azure-storage-account-key-regenerated.asciidoc
@@ -0,0 +1,72 @@
+[[azure-storage-account-key-regenerated]]
+=== Azure Storage Account Key Regenerated
+
+Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name
+:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Steal Application Access Token
+** ID: T1528
+** Reference URL: https://attack.mitre.org/techniques/T1528/
diff --git a/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc
index ffebb40bdd..bdf2ca4293 100644
--- a/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc
@@ -24,13 +24,16 @@ use to evade detection by host- or network-based security controls.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<base16-or-base32-encoding-decoding-activity-history, version history>>)
+*Version*: 4 (<<base16-or-base32-encoding-decoding-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -75,6 +78,9 @@ process.name:(base16 or base32 or base32plain or base32hex)
 [[base16-or-base32-encoding-decoding-activity-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc
index 3376c38b9c..77ead91193 100644
--- a/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/base64-encoding-decoding-activity.asciidoc
@@ -24,13 +24,16 @@ use to evade detection by host- or network-based security controls.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<base64-encoding-decoding-activity-history, version history>>)
+*Version*: 4 (<<base64-encoding-decoding-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -76,6 +79,9 @@ base64pem)
 [[base64-encoding-decoding-activity-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc
index 47ec5ff180..e9a60f741e 100644
--- a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc
@@ -24,13 +24,16 @@ bypass UAC to stealthily execute code with elevated permissions.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Privilege Escalation
 
-*Version*: 3 (<<bypass-uac-via-event-viewer-history, version history>>)
+*Version*: 4 (<<bypass-uac-via-event-viewer-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ process.executable:("C:\Windows\SysWOW64\mmc.exe" or
 [[bypass-uac-via-event-viewer-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc
new file mode 100644
index 0000000000..8bbe34d55c
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc
@@ -0,0 +1,66 @@
+[[bypass-uac-via-sdclt]]
+=== Bypass UAC via Sdclt
+
+Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: high
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Windows
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence with maxspan=1m [process where event.type in ("start",
+"process_started") and process.name == "sdclt.exe" and /*
+process.code_signature.* fields need to be populated for 7.10 */
+process.code_signature.subject_name == "Microsoft Corporation" and
+process.code_signature.trusted == true and process.args ==
+"/kickoffelev" ] by process.entity_id [process where event.type in
+("start", "process_started") and process.parent.name == "sdclt.exe"
+and process.executable not in
+("C:\\Windows\\System32\\sdclt.exe",
+"C:\\Windows\\System32\\control.exe",
+"C:\\Windows\\SysWOW64\\sdclt.exe",
+"C:\\Windows\\SysWOW64\\control.exe") ] by process.parent.entity_id
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Bypass User Account Control
+** ID: T1088
+** Reference URL: https://attack.mitre.org/techniques/T1088/
diff --git a/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc
index b67f84668f..fc4edcf0e1 100644
--- a/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc
@@ -25,13 +25,16 @@ system.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<clearing-windows-event-logs-history, version history>>)
+*Version*: 5 (<<clearing-windows-event-logs-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ process.name:powershell.exe and process.args:Clear-EventLog
 [[clearing-windows-event-logs-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/cobalt-strike-command-and-control-beacon.asciidoc b/docs/detections/prebuilt-rules/rule-details/cobalt-strike-command-and-control-beacon.asciidoc
new file mode 100644
index 0000000000..67beca4c6c
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/cobalt-strike-command-and-control-beacon.asciidoc
@@ -0,0 +1,71 @@
+[[cobalt-strike-command-and-control-beacon]]
+=== Cobalt Strike Command and Control Beacon
+
+Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* packetbeat-*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://blog.morphisec.com/fin7-attacks-restaurant-industry
+* https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+
+*Tags*:
+
+* Elastic
+* Network
+* Threat Detection
+* Command and Control
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.
+
+==== Investigation guide
+
+This activity has been observed in FIN7 campaigns.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:(network OR network_traffic) AND type:(tls OR http) AND
+network.transport:tcp AND
+destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Command and Control
+** ID: TA0011
+** Reference URL: https://attack.mitre.org/tactics/TA0011/
+* Technique:
+** Name: Application Layer Protocol
+** ID: T1071
+** Reference URL: https://attack.mitre.org/techniques/T1071/
diff --git a/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc
index 04d10af5c7..b0238fe60f 100644
--- a/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/command-prompt-network-connection.asciidoc
@@ -4,7 +4,7 @@
 Identifies `cmd.exe` making a network connection. Adversaries can abuse
 `cmd.exe` to download or execute malware from a remote URL.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -24,13 +24,16 @@ Identifies `cmd.exe` making a network connection. Adversaries can abuse
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<command-prompt-network-connection-history, version history>>)
+*Version*: 5 (<<command-prompt-network-connection-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +48,10 @@ Administrators may use the command prompt for regular administrative tasks. It's
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or
-172.16.0.0/12 or 192.168.0.0/16)
+sequence by process.entity_id [process where process.name :
+"cmd.exe" and event.type == "start"] [network where process.name :
+"cmd.exe" and not cidrmatch(destination.ip, "10.0.0.0/8",
+"172.16.0.0/12", "192.168.0.0/16")]
 ----------------------------------
 
 ==== Threat mapping
@@ -59,7 +63,7 @@ process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Command-Line Interface
+** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
 
@@ -69,13 +73,23 @@ process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or
 ** ID: TA0011
 ** Reference URL: https://attack.mitre.org/tactics/TA0011/
 * Technique:
-** Name: Remote File Copy
+** Name: Ingress Tool Transfer
 ** ID: T1105
 ** Reference URL: https://attack.mitre.org/techniques/T1105/
 
 [[command-prompt-network-connection-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or
+172.16.0.0/12 or 192.168.0.0/16)
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/compression-of-keychain-credentials-directories.asciidoc b/docs/detections/prebuilt-rules/rule-details/compression-of-keychain-credentials-directories.asciidoc
new file mode 100644
index 0000000000..67396664bb
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/compression-of-keychain-credentials-directories.asciidoc
@@ -0,0 +1,65 @@
+[[compression-of-keychain-credentials-directories]]
+=== Compression of Keychain Credentials Directories
+
+Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* auditbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://objective-see.com/blog/blog_0x25.html
+
+*Tags*:
+
+* Elastic
+* Host
+* macOS
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:(zip or tar or gzip or 7za or hdiutil) and
+process.args:("/Library/Keychains/" or "/Network/Library/Keychains/"
+or "~/Library/Keychains/")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Keychain
+** ID: T1142
+** Reference URL: https://attack.mitre.org/techniques/T1142/
diff --git a/docs/detections/prebuilt-rules/rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc
new file mode 100644
index 0000000000..a5b719a008
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc
@@ -0,0 +1,66 @@
+[[conhost-spawned-by-suspicious-parent-process]]
+=== Conhost Spawned By Suspicious Parent Process
+
+Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:conhost.exe and process.parent.name:(svchost.exe or
+lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe
+or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or
+wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc
index bd7a46b2ca..378555d541 100644
--- a/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc
@@ -3,7 +3,7 @@
 
 Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -23,13 +23,16 @@ Telnet provides a command line interface for communication with a remote device
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Lateral Movement
 
-*Version*: 3 (<<connection-to-external-network-via-telnet-history, version history>>)
+*Version*: 4 (<<connection-to-external-network-via-telnet-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -44,9 +47,11 @@ Telnet can be used for both benign or malicious purposes. Telnet is included by
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:(connection or start) and
-process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8
-or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128")
+sequence by process.entity_id [process where process.name ==
+"telnet" and event.type == "start"] [network where process.name ==
+"telnet" and not cidrmatch(destination.ip, "127.0.0.0/8",
+"10.0.0.0/8", "172.16.0.0/12",
+"192.168.0.0/16", "FE80::/10", "::1/128")]
 ----------------------------------
 
 ==== Threat mapping
@@ -65,6 +70,16 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128")
 [[connection-to-external-network-via-telnet-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:(connection or start) and
+process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8
+or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128")
+----------------------------------
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc
index 2c39479806..750f4064d5 100644
--- a/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc
@@ -3,7 +3,7 @@
 
 Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -23,13 +23,16 @@ Telnet provides a command line interface for communication with a remote device
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Lateral Movement
 
-*Version*: 3 (<<connection-to-internal-network-via-telnet-history, version history>>)
+*Version*: 4 (<<connection-to-internal-network-via-telnet-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -44,9 +47,11 @@ Telnet can be used for both benign or malicious purposes. Telnet is included by
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:(connection or start) and
-process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12
-or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128"))
+sequence by process.entity_id [process where process.name ==
+"telnet" and event.type == "start"] [network where process.name ==
+"telnet" and cidrmatch(destination.ip, "10.0.0.0/8",
+"172.16.0.0/12", "192.168.0.0/16", "FE80::/10") and not
+cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
 ----------------------------------
 
 ==== Threat mapping
@@ -65,6 +70,16 @@ or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128"))
 [[connection-to-internal-network-via-telnet-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:(connection or start) and
+process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12
+or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128"))
+----------------------------------
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc
index a2a3f857a4..08fa01c478 100644
--- a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories.asciidoc
@@ -27,13 +27,16 @@ directories.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 2 (<<creation-of-hidden-files-and-directories-history, version history>>)
+*Version*: 3 (<<creation-of-hidden-files-and-directories-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -82,6 +85,9 @@ process.name:(ls or find)
 [[creation-of-hidden-files-and-directories-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc
new file mode 100644
index 0000000000..0447fb8217
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc
@@ -0,0 +1,72 @@
+[[creation-or-modification-of-a-new-gpo-scheduled-task-or-service]]
+=== Creation or Modification of a new GPO Scheduled Task or Service
+
+Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Persistence
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and not event.type:deletion and file.path:(C\:\\Wi
+ndows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTas
+ks\\ScheduledTasks.xml or C\:\\Windows\\SYSVOL\\domain\\Policies\\*\\M
+ACHINE\\Preferences\\Preferences\\Services\\Services.xml) and not
+process.name:dfsrs.exe
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Scheduled Task/Job
+** ID: T1053
+** Reference URL: https://attack.mitre.org/techniques/T1053/
+
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Remote Services
+** ID: T1021
+** Reference URL: https://attack.mitre.org/techniques/T1021/
diff --git a/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc
new file mode 100644
index 0000000000..5cf27d00cf
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc
@@ -0,0 +1,68 @@
+[[creation-or-modification-of-domain-backup-dpapi-private-key]]
+=== Creation or Modification of Domain Backup DPAPI private key
+
+Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/
+* https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and not event.type:deletion and
+file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Private Keys
+** ID: T1145
+** Reference URL: https://attack.mitre.org/techniques/T1145/
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-endpoint-security.asciidoc
similarity index 63%
rename from docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-endpoint-security.asciidoc
index 071ab66d50..64ff31bde2 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-dumping-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[credential-dumping-detected-elastic-endpoint-security]]
-=== Credential Dumping - Detected - Elastic Endpoint Security
+[[credential-dumping-detected-endpoint-security]]
+=== Credential Dumping - Detected - Endpoint Security
 
-Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoin
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<credential-dumping-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<credential-dumping-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +45,11 @@ endgame.event_subtype_full:cred_theft_event)
 ----------------------------------
 
 
-[[credential-dumping-detected-elastic-endpoint-security-history]]
+[[credential-dumping-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Credential Dumping - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Dumping - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-endpoint-security.asciidoc
similarity index 63%
rename from docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-endpoint-security.asciidoc
index 7e4782f6ab..1623cdce38 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-dumping-prevented-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[credential-dumping-prevented-elastic-endpoint-security]]
-=== Credential Dumping - Prevented - Elastic Endpoint Security
+[[credential-dumping-prevented-endpoint-security]]
+=== Credential Dumping - Prevented - Endpoint Security
 
-Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoi
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<credential-dumping-prevented-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<credential-dumping-prevented-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +45,11 @@ endgame.event_subtype_full:cred_theft_event)
 ----------------------------------
 
 
-[[credential-dumping-prevented-elastic-endpoint-security-history]]
+[[credential-dumping-prevented-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Credential Dumping - Prevented - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Dumping - Prevented - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-endpoint-security.asciidoc
similarity index 63%
rename from docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-endpoint-security.asciidoc
index ba912085a6..8d56254288 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[credential-manipulation-detected-elastic-endpoint-security]]
-=== Credential Manipulation - Detected - Elastic Endpoint Security
+[[credential-manipulation-detected-endpoint-security]]
+=== Credential Manipulation - Detected - Endpoint Security
 
-Elastic Endpoint Security detected Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected Credential Manipulation. Click the Elastic En
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<credential-manipulation-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<credential-manipulation-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:token_manipulation_event)
 ----------------------------------
 
 
-[[credential-manipulation-detected-elastic-endpoint-security-history]]
+[[credential-manipulation-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Credential Manipulation - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Manipulation - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-endpoint-security.asciidoc
similarity index 63%
rename from docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-endpoint-security.asciidoc
index 5ad219658b..575b879867 100644
--- a/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/credential-manipulation-prevented-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[credential-manipulation-prevented-elastic-endpoint-security]]
-=== Credential Manipulation - Prevented - Elastic Endpoint Security
+[[credential-manipulation-prevented-endpoint-security]]
+=== Credential Manipulation - Prevented - Endpoint Security
 
-Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic E
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<credential-manipulation-prevented-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<credential-manipulation-prevented-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:token_manipulation_event)
 ----------------------------------
 
 
-[[credential-manipulation-prevented-elastic-endpoint-security-history]]
+[[credential-manipulation-prevented-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Credential Manipulation - Prevented - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Credential Manipulation - Prevented - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc b/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc
index f5b29dba37..ab35dcb782 100644
--- a/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/delete-volume-usn-journal-with-fsutil.asciidoc
@@ -25,13 +25,16 @@ post-exploitation activities.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<delete-volume-usn-journal-with-fsutil-history, version history>>)
+*Version*: 5 (<<delete-volume-usn-journal-with-fsutil-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -62,6 +65,9 @@ process.name:fsutil.exe and process.args:(deletejournal and usn)
 [[delete-volume-usn-journal-with-fsutil-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc
index bb7e9e7afc..de41b5851a 100644
--- a/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc
@@ -24,13 +24,16 @@ other malware may do this to prevent system recovery.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<deleting-backup-catalogs-with-wbadmin-history, version history>>)
+*Version*: 5 (<<deleting-backup-catalogs-with-wbadmin-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -61,6 +64,9 @@ process.name:wbadmin.exe and process.args:(catalog and delete)
 [[deleting-backup-catalogs-with-wbadmin-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc b/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc
index b753b2691e..b17152b551 100644
--- a/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/deletion-of-bash-command-line-history.asciidoc
@@ -24,13 +24,16 @@ evade detection or forensic investigations.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 2 (<<deletion-of-bash-command-line-history-history, version history>>)
+*Version*: 3 (<<deletion-of-bash-command-line-history-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -62,6 +65,9 @@ process.args:/\/(home\/.{1,255}|root)\/\.bash_history/
 [[deletion-of-bash-command-line-history-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc
index 25693bdeb1..2b290d383b 100644
--- a/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/direct-outbound-smb-connection.asciidoc
@@ -8,7 +8,7 @@ connections are established by the kernel. Processes making 445/tcp connections
 may be port scanners, exploits, or suspicious user-level processes moving
 laterally.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -28,13 +28,16 @@ laterally.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Lateral Movement
 
-*Version*: 4 (<<direct-outbound-smb-connection-history, version history>>)
+*Version*: 5 (<<direct-outbound-smb-connection-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +48,10 @@ laterally.
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-destination.port:445 and not process.pid:4 and not
-destination.ip:(127.0.0.1 or "::1")
+sequence by process.entity_id [process where event.type == "start"
+and process.pid != 4] [network where destination.port == 445 and
+process.pid != 4 and not cidrmatch(destination.ip, "127.0.0.1",
+"::1")]
 ----------------------------------
 
 ==== Threat mapping
@@ -66,6 +70,16 @@ destination.ip:(127.0.0.1 or "::1")
 [[direct-outbound-smb-connection-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+destination.port:445 and not process.pid:4 and not
+destination.ip:(127.0.0.1 or "::1")
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc b/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc
index 195ba48a3c..078900f18e 100644
--- a/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/disable-windows-firewall-rules-via-netsh.asciidoc
@@ -25,13 +25,16 @@ troubleshooting or to enable network mobility.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<disable-windows-firewall-rules-via-netsh-history, version history>>)
+*Version*: 5 (<<disable-windows-firewall-rules-via-netsh-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ or process.args:(advfirewall and off and state)
 [[disable-windows-firewall-rules-via-netsh-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc
index 1377318b6b..d51244f164 100644
--- a/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/dns-activity-to-the-internet.asciidoc
@@ -34,12 +34,14 @@ malicious communications.
 
 * Elastic
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<dns-activity-to-the-internet-history, version history>>)
+*Version*: 5 (<<dns-activity-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -78,6 +80,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or
 [[dns-activity-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc
index e834d63ab4..e67b78ad8a 100644
--- a/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/dns-tunneling.asciidoc
@@ -31,14 +31,15 @@ the DNS protocol to tunnel data.
 *Tags*:
 
 * Elastic
+* Network
+* Threat Detection
 * ML
-* Packetbeat
 
-*Version*: 2 (<<dns-tunneling-history, version history>>)
+*Version*: 3 (<<dns-tunneling-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -51,6 +52,9 @@ DNS domains that use large numbers of child domains, such as software or content
 [[dns-tunneling-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc b/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc
index 3083da0a21..59bed488c8 100644
--- a/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/encoding-or-decoding-files-via-certutil.asciidoc
@@ -26,13 +26,16 @@ and control or exfiltration.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<encoding-or-decoding-files-via-certutil-history, version history>>)
+*Version*: 5 (<<encoding-or-decoding-files-via-certutil-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -64,6 +67,9 @@ process.name:certutil.exe and process.args:(-decode or -encode or
 [[encoding-or-decoding-files-via-certutil-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/endpoint-security.asciidoc
similarity index 55%
rename from docs/detections/prebuilt-rules/rule-details/elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/endpoint-security.asciidoc
index 971ca63d7c..40c65eb98e 100644
--- a/docs/detections/prebuilt-rules/rule-details/elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/endpoint-security.asciidoc
@@ -1,9 +1,7 @@
-[[elastic-endpoint-security]]
-=== Elastic Endpoint Security
+[[endpoint-security]]
+=== Endpoint Security
 
-Generates a detection alert each time an Elastic Endpoint alert is received.
-Enabling this rule allows you to immediately begin investigating your Elastic
-Endpoint alerts.
+Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.
 
 *Rule type*: query
 
@@ -24,12 +22,14 @@ Endpoint alerts.
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 1
+*Version*: 2 (<<endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -42,3 +42,9 @@ Endpoint alerts.
 event.kind:alert and event.module:(endpoint and not endgame)
 ----------------------------------
 
+
+[[endpoint-security-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Rule name changed from: Elastic Endpoint Security
diff --git a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc
index 86165d8cd0..e9a0a02071 100644
--- a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc
@@ -26,13 +26,16 @@ need to reboot the system.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Discovery
 
-*Version*: 3 (<<enumeration-of-kernel-modules-history, version history>>)
+*Version*: 4 (<<enumeration-of-kernel-modules-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -68,6 +71,9 @@ modinfo))
 [[enumeration-of-kernel-modules-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/execution-of-file-written-or-modified-by-microsoft-office.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-of-file-written-or-modified-by-microsoft-office.asciidoc
new file mode 100644
index 0000000000..9946a4712c
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/execution-of-file-written-or-modified-by-microsoft-office.asciidoc
@@ -0,0 +1,65 @@
+[[execution-of-file-written-or-modified-by-microsoft-office]]
+=== Execution of File Written or Modified by Microsoft Office
+
+Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: high
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence with maxspan=2h [file where event.type != "deletion" and
+file.extension : "exe" and (process.name : "WINWORD.EXE" or
+process.name : "EXCEL.EXE" or process.name : "OUTLOOK.EXE" or
+process.name : "POWERPNT.EXE" or process.name : "eqnedt32.exe"
+or process.name : "fltldr.exe" or process.name :
+"MSPUB.EXE" or process.name : "MSACCESS.EXE") ] by host.id,
+file.path [process where event.type in ("start", "process_started")]
+by host.id, process.executable
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Scripting
+** ID: T1064
+** Reference URL: https://attack.mitre.org/techniques/T1064/
diff --git a/docs/detections/prebuilt-rules/rule-details/execution-of-file-written-or-modified-by-pdf-reader.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-of-file-written-or-modified-by-pdf-reader.asciidoc
new file mode 100644
index 0000000000..f351ab4646
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/execution-of-file-written-or-modified-by-pdf-reader.asciidoc
@@ -0,0 +1,67 @@
+[[execution-of-file-written-or-modified-by-pdf-reader]]
+=== Execution of File Written or Modified by PDF Reader
+
+Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: high
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence with maxspan=2h [file where event.type != "deletion" and
+file.extension : "exe" and (process.name : "AcroRd32.exe" or
+process.name : "rdrcef.exe" or process.name :
+"FoxitPhantomPDF.exe" or process.name : "FoxitReader.exe") and
+not (file.name : "FoxitPhantomPDF.exe" or file.name :
+"FoxitPhantomPDFUpdater.exe" or file.name :
+"FoxitReader.exe" or file.name : "FoxitReaderUpdater.exe" or
+file.name : "AcroRd32.exe" or file.name : "rdrcef.exe") ]
+by host.id, file.path [process where event.type in ("start",
+"process_started")] by host.id, process.executable
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Scripting
+** ID: T1064
+** Reference URL: https://attack.mitre.org/techniques/T1064/
diff --git a/docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp_cmdshell-stored-procedure.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp_cmdshell-stored-procedure.asciidoc
new file mode 100644
index 0000000000..f3272dc896
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp_cmdshell-stored-procedure.asciidoc
@@ -0,0 +1,59 @@
+[[execution-via-mssql-xp_cmdshell-stored-procedure]]
+=== Execution via MSSQL xp_cmdshell Stored Procedure
+
+Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:cmd.exe and process.parent.name:sqlservr.exe
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc
index 9c5c2e407b..2765e83028 100644
--- a/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/execution-via-regsvcs-regasm.asciidoc
@@ -26,13 +26,16 @@ Windows utility.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 3 (<<execution-via-regsvcs-regasm-history, version history>>)
+*Version*: 4 (<<execution-via-regsvcs-regasm-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -73,6 +76,9 @@ process.name:(RegAsm.exe or RegSvcs.exe)
 [[execution-via-regsvcs-regasm-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/exploit-detected-endpoint-security.asciidoc
similarity index 65%
rename from docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/exploit-detected-endpoint-security.asciidoc
index 2620289819..aee9992904 100644
--- a/docs/detections/prebuilt-rules/rule-details/exploit-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/exploit-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[exploit-detected-elastic-endpoint-security]]
-=== Exploit - Detected - Elastic Endpoint Security
+[[exploit-detected-endpoint-security]]
+=== Exploit - Detected - Endpoint Security
 
-Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Securi
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<exploit-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<exploit-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +45,11 @@ endgame.event_subtype_full:exploit_event)
 ----------------------------------
 
 
-[[exploit-detected-elastic-endpoint-security-history]]
+[[exploit-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Exploit - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Exploit - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/exploit-prevented-endpoint-security.asciidoc
similarity index 65%
rename from docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/exploit-prevented-endpoint-security.asciidoc
index 4c77f613bd..dd2be683be 100644
--- a/docs/detections/prebuilt-rules/rule-details/exploit-prevented-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/exploit-prevented-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[exploit-prevented-elastic-endpoint-security]]
-=== Exploit - Prevented - Elastic Endpoint Security
+[[exploit-prevented-endpoint-security]]
+=== Exploit - Prevented - Endpoint Security
 
-Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Secur
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<exploit-prevented-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<exploit-prevented-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +45,11 @@ endgame.event_subtype_full:exploit_event)
 ----------------------------------
 
 
-[[exploit-prevented-elastic-endpoint-security-history]]
+[[exploit-prevented-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Exploit - Prevented - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Exploit - Prevented - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/external-alerts.asciidoc b/docs/detections/prebuilt-rules/rule-details/external-alerts.asciidoc
index 4094d65a82..db10dae85b 100644
--- a/docs/detections/prebuilt-rules/rule-details/external-alerts.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/external-alerts.asciidoc
@@ -29,11 +29,18 @@ begin investigating external alerts in the app.
 *Tags*:
 
 * Elastic
+* Network
+* Windows
+* APM
+* macOS
+* Linux
 
-*Version*: 1
+*Version*: 2 (<<external-alerts-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -46,3 +53,10 @@ begin investigating external alerts in the app.
 event.kind:alert and not event.module:(endgame or endpoint)
 ----------------------------------
 
+
+[[external-alerts-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc
index 8aecc90f8e..8683abdb66 100644
--- a/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc
@@ -27,13 +27,16 @@ end as part of the post-intrusion cleanup process.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<file-deletion-via-shred-history, version history>>)
+*Version*: 4 (<<file-deletion-via-shred-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -65,6 +68,9 @@ zero")
 [[file-deletion-via-shred-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc
index 7dea4ed3e2..4967aed171 100644
--- a/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc
@@ -25,13 +25,16 @@ directory, and change permissions prior to execution.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<file-permission-modification-in-writable-directory-history, version history>>)
+*Version*: 4 (<<file-permission-modification-in-writable-directory-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -68,6 +71,9 @@ user.name:root
 [[file-permission-modification-in-writable-directory-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc
index 89ed3c9682..74528913d4 100644
--- a/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ftp-file-transfer-protocol-activity-to-the-internet.asciidoc
@@ -16,6 +16,7 @@ or compliance standards may be unauthorized.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -30,13 +31,16 @@ or compliance standards may be unauthorized.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<ftp-file-transfer-protocol-activity-to-the-internet-history, version history>>)
+*Version*: 5 (<<ftp-file-transfer-protocol-activity-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -84,6 +88,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[ftp-file-transfer-protocol-activity-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-creation.asciidoc
new file mode 100644
index 0000000000..d3a812f4e2
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-creation.asciidoc
@@ -0,0 +1,71 @@
+[[gcp-firewall-rule-creation]]
+=== GCP Firewall Rule Creation
+
+Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/vpc/docs/firewalls
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:v*.compute.firewalls.insert
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-deletion.asciidoc
new file mode 100644
index 0000000000..788bb91778
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-deletion.asciidoc
@@ -0,0 +1,71 @@
+[[gcp-firewall-rule-deletion]]
+=== GCP Firewall Rule Deletion
+
+Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/vpc/docs/firewalls
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:v*.compute.firewalls.delete
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-modification.asciidoc
new file mode 100644
index 0000000000..201acc2149
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-firewall-rule-modification.asciidoc
@@ -0,0 +1,71 @@
+[[gcp-firewall-rule-modification]]
+=== GCP Firewall Rule Modification
+
+Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/vpc/docs/firewalls
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:v*.compute.firewalls.patch
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-iam-custom-role-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-iam-custom-role-creation.asciidoc
new file mode 100644
index 0000000000..f7822c26b6
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-iam-custom-role-creation.asciidoc
@@ -0,0 +1,81 @@
+[[gcp-iam-custom-role-creation]]
+=== GCP IAM Custom Role Creation
+
+Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/iam/docs/understanding-custom-roles
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.iam.admin.v*.CreateRole and event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-iam-role-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-iam-role-deletion.asciidoc
new file mode 100644
index 0000000000..b783a3b38f
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-iam-role-deletion.asciidoc
@@ -0,0 +1,71 @@
+[[gcp-iam-role-deletion]]
+=== GCP IAM Role Deletion
+
+Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/iam/docs/understanding-roles
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.iam.admin.v*.DeleteRole and event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Account Access Removal
+** ID: T1531
+** Reference URL: https://attack.mitre.org/techniques/T1531/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-iam-service-account-key-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-iam-service-account-key-deletion.asciidoc
new file mode 100644
index 0000000000..eff03ed82a
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-iam-service-account-key-deletion.asciidoc
@@ -0,0 +1,73 @@
+[[gcp-iam-service-account-key-deletion]]
+=== GCP IAM Service Account Key Deletion
+
+Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/iam/docs/service-accounts
+* https://cloud.google.com/iam/docs/creating-managing-service-account-keys
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.iam.admin.v*.DeleteServiceAccountKey and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-logging-bucket-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-logging-bucket-deletion.asciidoc
new file mode 100644
index 0000000000..67eafb3312
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-logging-bucket-deletion.asciidoc
@@ -0,0 +1,73 @@
+[[gcp-logging-bucket-deletion]]
+=== GCP Logging Bucket Deletion
+
+Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/logging/docs/buckets
+* https://cloud.google.com/logging/docs/storage
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-logging-sink-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-logging-sink-deletion.asciidoc
new file mode 100644
index 0000000000..7a7671c38e
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-logging-sink-deletion.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-logging-sink-deletion]]
+=== GCP Logging Sink Deletion
+
+Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/logging/docs/export
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.logging.v*.ConfigServiceV*.DeleteSink and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-logging-sink-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-logging-sink-modification.asciidoc
new file mode 100644
index 0000000000..1b481409de
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-logging-sink-modification.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-logging-sink-modification]]
+=== GCP Logging Sink Modification
+
+Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/logging/docs/export#how_sinks_work
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.logging.v*.ConfigServiceV*.UpdateSink and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Exfiltration
+** ID: TA0010
+** Reference URL: https://attack.mitre.org/tactics/TA0010/
+* Technique:
+** Name: Transfer Data to Cloud Account
+** ID: T1537
+** Reference URL: https://attack.mitre.org/techniques/T1537/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-subscription-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-subscription-creation.asciidoc
new file mode 100644
index 0000000000..6d49da7070
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-subscription-creation.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-pub-sub-subscription-creation]]
+=== GCP Pub/Sub Subscription Creation
+
+Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/pubsub/docs/overview
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.pubsub.v*.Subscriber.CreateSubscription and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Collection
+** ID: TA0009
+** Reference URL: https://attack.mitre.org/tactics/TA0009/
+* Technique:
+** Name: Data from Cloud Storage Object
+** ID: T1530
+** Reference URL: https://attack.mitre.org/techniques/T1530/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-subscription-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-subscription-deletion.asciidoc
new file mode 100644
index 0000000000..3779212d57
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-subscription-deletion.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-pub-sub-subscription-deletion]]
+=== GCP Pub/Sub Subscription Deletion
+
+Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/pubsub/docs/overview
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.pubsub.v*.Subscriber.DeleteSubscription and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-topic-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-topic-creation.asciidoc
new file mode 100644
index 0000000000..2d47224fb6
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-topic-creation.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-pub-sub-topic-creation]]
+=== GCP Pub/Sub Topic Creation
+
+Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/pubsub/docs/admin
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.pubsub.v*.Publisher.CreateTopic and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Collection
+** ID: TA0009
+** Reference URL: https://attack.mitre.org/tactics/TA0009/
+* Technique:
+** Name: Data from Cloud Storage Object
+** ID: T1530
+** Reference URL: https://attack.mitre.org/techniques/T1530/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-topic-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-topic-deletion.asciidoc
new file mode 100644
index 0000000000..2334641341
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-pub-sub-topic-deletion.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-pub-sub-topic-deletion]]
+=== GCP Pub/Sub Topic Deletion
+
+Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/pubsub/docs/overview
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Log Auditing
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.pubsub.v*.Publisher.DeleteTopic and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Impair Defenses
+** ID: T1562
+** Reference URL: https://attack.mitre.org/techniques/T1562/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-service-account-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-creation.asciidoc
new file mode 100644
index 0000000000..0053c197e2
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-creation.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-service-account-creation]]
+=== GCP Service Account Creation
+
+Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/iam/docs/service-accounts
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.iam.admin.v*.CreateServiceAccount and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Create Account
+** ID: T1136
+** Reference URL: https://attack.mitre.org/techniques/T1136/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-service-account-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-deletion.asciidoc
new file mode 100644
index 0000000000..a8682856cc
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-deletion.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-service-account-deletion]]
+=== GCP Service Account Deletion
+
+Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/iam/docs/service-accounts
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.iam.admin.v*.DeleteServiceAccount and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Account Access Removal
+** ID: T1531
+** Reference URL: https://attack.mitre.org/techniques/T1531/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-service-account-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-disabled.asciidoc
new file mode 100644
index 0000000000..534849c0ca
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-disabled.asciidoc
@@ -0,0 +1,72 @@
+[[gcp-service-account-disabled]]
+=== GCP Service Account Disabled
+
+Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/iam/docs/service-accounts
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.iam.admin.v*.DisableServiceAccount and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Account Access Removal
+** ID: T1531
+** Reference URL: https://attack.mitre.org/techniques/T1531/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-service-account-key-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-key-creation.asciidoc
new file mode 100644
index 0000000000..bc18d3d957
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-service-account-key-creation.asciidoc
@@ -0,0 +1,73 @@
+[[gcp-service-account-key-creation]]
+=== GCP Service Account Key Creation
+
+Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/iam/docs/service-accounts
+* https://cloud.google.com/iam/docs/creating-managing-service-account-keys
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:google.iam.admin.v*.CreateServiceAccountKey and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-configuration-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-configuration-modification.asciidoc
new file mode 100644
index 0000000000..d4bdcd5528
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-configuration-modification.asciidoc
@@ -0,0 +1,59 @@
+[[gcp-storage-bucket-configuration-modification]]
+=== GCP Storage Bucket Configuration Modification
+
+Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/storage/docs/key-terms#buckets
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:storage.buckets.update and event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-deletion.asciidoc
new file mode 100644
index 0000000000..59678e1342
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-deletion.asciidoc
@@ -0,0 +1,71 @@
+[[gcp-storage-bucket-deletion]]
+=== GCP Storage Bucket Deletion
+
+Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/storage/docs/key-terms#buckets
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Monitoring
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:storage.buckets.delete
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Data Destruction
+** ID: T1485
+** Reference URL: https://attack.mitre.org/techniques/T1485/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-permissions-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-permissions-modification.asciidoc
new file mode 100644
index 0000000000..ac1103a302
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-storage-bucket-permissions-modification.asciidoc
@@ -0,0 +1,71 @@
+[[gcp-storage-bucket-permissions-modification]]
+=== GCP Storage Bucket Permissions Modification
+
+Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/storage/docs/access-control/iam-permissions
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:storage.setIamPermissions and event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: File and Directory Permissions Modification
+** ID: T1222
+** Reference URL: https://attack.mitre.org/techniques/T1222/
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-network-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-network-deletion.asciidoc
new file mode 100644
index 0000000000..d690a16075
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-network-deletion.asciidoc
@@ -0,0 +1,59 @@
+[[gcp-virtual-private-cloud-network-deletion]]
+=== GCP Virtual Private Cloud Network Deletion
+
+Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/vpc/docs/vpc
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:v*.compute.networks.delete and event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-creation.asciidoc
new file mode 100644
index 0000000000..102269f610
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-creation.asciidoc
@@ -0,0 +1,60 @@
+[[gcp-virtual-private-cloud-route-creation]]
+=== GCP Virtual Private Cloud Route Creation
+
+Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/vpc/docs/routes
+* https://cloud.google.com/vpc/docs/using-routes
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:(v*.compute.routes.insert or beta.compute.routes.insert)
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-deletion.asciidoc
new file mode 100644
index 0000000000..9f29f9939d
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/gcp-virtual-private-cloud-route-deletion.asciidoc
@@ -0,0 +1,60 @@
+[[gcp-virtual-private-cloud-route-deletion]]
+=== GCP Virtual Private Cloud Route Deletion
+
+Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://cloud.google.com/vpc/docs/routes
+* https://cloud.google.com/vpc/docs/using-routes
+
+*Tags*:
+
+* Elastic
+* Cloud
+* GCP
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+
+==== Investigation guide
+
+The GCP Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:googlecloud.audit and
+event.action:v*.compute.routes.delete and event.outcome:success
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/halfbaked-command-and-control-beacon.asciidoc b/docs/detections/prebuilt-rules/rule-details/halfbaked-command-and-control-beacon.asciidoc
new file mode 100644
index 0000000000..e285a542c8
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/halfbaked-command-and-control-beacon.asciidoc
@@ -0,0 +1,72 @@
+[[halfbaked-command-and-control-beacon]]
+=== Halfbaked Command and Control Beacon
+
+Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* packetbeat-*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+* https://attack.mitre.org/software/S0151/
+
+*Tags*:
+
+* Elastic
+* Network
+* Threat Detection
+* Command and Control
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected.
+
+==== Investigation guide
+
+This activity has been observed in FIN7 campaigns.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:(network OR network_traffic) AND network.protocol:http
+AND network.transport:tcp AND
+url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/
+AND destination.port:(53 OR 80 OR 8080 OR 443)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Command and Control
+** ID: TA0011
+** Reference URL: https://attack.mitre.org/tactics/TA0011/
+* Technique:
+** Name: Application Layer Protocol
+** ID: T1071
+** Reference URL: https://attack.mitre.org/techniques/T1071/
diff --git a/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc
index 5bc7f8e0b9..847f801a61 100644
--- a/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/hex-encoding-decoding-activity.asciidoc
@@ -24,13 +24,16 @@ use to evade detection by host- or network-based security controls.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<hex-encoding-decoding-activity-history, version history>>)
+*Version*: 4 (<<hex-encoding-decoding-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -75,6 +78,9 @@ process.name:(hexdump or od or xxd)
 [[hex-encoding-decoding-activity-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc b/docs/detections/prebuilt-rules/rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc
new file mode 100644
index 0000000000..5c524a27c0
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc
@@ -0,0 +1,98 @@
+[[high-number-of-okta-user-password-reset-or-unlock-attempts]]
+=== High Number of Okta User Password Reset or Unlock Attempts
+
+Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.
+
+*Rule type*: threshold
+
+*Rule indices*:
+
+* filebeat-*
+* logs-okta*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://developer.okta.com/docs/reference/api/system-log/
+* https://developer.okta.com/docs/reference/api/event-types/
+
+*Tags*:
+
+* Elastic
+* Identity
+* Okta
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.
+
+==== Investigation guide
+
+The Okta Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:okta.system and
+event.action:(system.email.account_unlock.sent_message or
+system.email.password_reset.sent_message or
+system.sms.send_account_unlock_message or
+system.sms.send_password_reset_message or
+system.voice.send_account_unlock_call or
+system.voice.send_password_reset_call or user.account.unlock_token)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Valid Accounts
+** ID: T1078
+** Reference URL: https://attack.mitre.org/techniques/T1078/
diff --git a/docs/detections/prebuilt-rules/rule-details/hosts-file-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/hosts-file-modified.asciidoc
new file mode 100644
index 0000000000..5aa8f1b182
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/hosts-file-modified.asciidoc
@@ -0,0 +1,71 @@
+[[hosts-file-modified]]
+=== Hosts File Modified
+
+The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* auditbeat-*
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Windows
+* macOS
+* Threat Detection
+* Impact
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and event.type:(change or creation) and
+file.path:("/private/etc/hosts" or "/etc/hosts" or
+"C:\Windows\System32\drivers\etc\hosts")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Impact
+** ID: TA0040
+** Reference URL: https://attack.mitre.org/tactics/TA0040/
+* Technique:
+** Name: Stored Data Manipulation
+** ID: T1492
+** Reference URL: https://attack.mitre.org/techniques/T1492/
diff --git a/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc
index efdc066526..4677886e87 100644
--- a/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc
@@ -29,13 +29,15 @@ testing applications, including scanning and firewall auditing.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<hping-process-activity-history, version history>>)
+*Version*: 5 (<<hping-process-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,6 +60,9 @@ process.name:(hping or hping2 or hping3)
 [[hping-process-activity-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/iis-http-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/iis-http-logging-disabled.asciidoc
new file mode 100644
index 0000000000..938d75a775
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/iis-http-logging-disabled.asciidoc
@@ -0,0 +1,62 @@
+[[iis-http-logging-disabled]]
+=== IIS HTTP Logging Disabled
+
+Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 33
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe
+or winlog.event_data.OriginalFileName:appcmd.exe) and
+process.args:/dontLog\:\"True\" and not
+process.parent.name:iissetup.exe
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Indicator Removal on Host
+** ID: T1070
+** Reference URL: https://attack.mitre.org/techniques/T1070/
diff --git a/docs/detections/prebuilt-rules/rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc b/docs/detections/prebuilt-rules/rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc
new file mode 100644
index 0000000000..927af2e090
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc
@@ -0,0 +1,72 @@
+[[inbound-connection-to-an-unsecure-elasticsearch-node]]
+=== Inbound Connection to an Unsecure Elasticsearch Node
+
+Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* packetbeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html
+* https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers
+
+*Tags*:
+
+* Elastic
+* Network
+* Threat Detection
+* Initial Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy.
+
+==== Investigation guide
+
+This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:network_traffic AND network.protocol:http AND status:OK
+AND destination.port:9200 AND network.direction:inbound AND NOT
+http.response.headers.content-type:"image/x-icon" AND NOT
+_exists_:http.request.headers.authorization
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Exploit Public-Facing Application
+** ID: T1190
+** Reference URL: https://attack.mitre.org/techniques/T1190/
diff --git a/docs/detections/prebuilt-rules/rule-details/installation-of-custom-shim-databases.asciidoc b/docs/detections/prebuilt-rules/rule-details/installation-of-custom-shim-databases.asciidoc
new file mode 100644
index 0000000000..ac00c1d1f2
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/installation-of-custom-shim-databases.asciidoc
@@ -0,0 +1,63 @@
+[[installation-of-custom-shim-databases]]
+=== Installation of Custom Shim Databases
+
+Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Persistence
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id with maxspan=5m [process where
+event.type in ("start", "process_started") and not (process.name
+: "sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry
+where event.type in ("creation", "change") and
+wildcard(registry.path, "HKLM\\SOFTWARE\\Microsoft\\Windows
+NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb")]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Application Shimming
+** ID: T1138
+** Reference URL: https://attack.mitre.org/techniques/T1138/
diff --git a/docs/detections/prebuilt-rules/rule-details/installutil-process-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/rule-details/installutil-process-making-network-connections.asciidoc
new file mode 100644
index 0000000000..1e7ac76e0a
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/installutil-process-making-network-connections.asciidoc
@@ -0,0 +1,63 @@
+[[installutil-process-making-network-connections]]
+=== InstallUtil Process Making Network Connections
+
+Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+/* the benefit of doing this as an eql sequence vs kql is this will
+limit to alerting only on the first network connection */ sequence by
+process.entity_id [process where event.type in ("start",
+"process_started") and process.name : "installutil.exe"] [network
+where process.name : "installutil.exe" and network.direction ==
+"outgoing"]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: InstallUtil
+** ID: T1118
+** Reference URL: https://attack.mitre.org/techniques/T1118/
diff --git a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc
index 009b1a4272..edc06295f2 100644
--- a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc
@@ -25,13 +25,16 @@ access to a host.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Execution
 
-*Version*: 3 (<<interactive-terminal-spawned-via-perl-history, version history>>)
+*Version*: 4 (<<interactive-terminal-spawned-via-perl-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -56,13 +59,16 @@ process.name:perl and process.args:("exec \"/bin/sh\";" or "exec
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Command-Line Interface
+** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
 
 [[interactive-terminal-spawned-via-perl-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc
index e0f401f30e..e2b6efaaf9 100644
--- a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc
@@ -25,13 +25,16 @@ access to a host.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Execution
 
-*Version*: 3 (<<interactive-terminal-spawned-via-python-history, version history>>)
+*Version*: 4 (<<interactive-terminal-spawned-via-python-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -57,13 +60,16 @@ pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Command-Line Interface
+** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
 
 [[interactive-terminal-spawned-via-python-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc
index 68277e2eb4..347d302298 100644
--- a/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ipsec-nat-traversal-port-activity.asciidoc
@@ -14,6 +14,7 @@ detection.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -28,13 +29,16 @@ detection.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 3 (<<ipsec-nat-traversal-port-activity-history, version history>>)
+*Version*: 4 (<<ipsec-nat-traversal-port-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -69,6 +73,9 @@ and destination.port:4500
 [[ipsec-nat-traversal-port-activity-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc
index f3c08ce81d..37645b2a78 100644
--- a/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/irc-internet-relay-chat-protocol-activity-to-the-internet.asciidoc
@@ -12,6 +12,7 @@ transfers to and from a network.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -26,13 +27,16 @@ transfers to and from a network.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<irc-internet-relay-chat-protocol-activity-to-the-internet-history, version history>>)
+*Version*: 5 (<<irc-internet-relay-chat-protocol-activity-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -71,7 +75,7 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 * Tactic:
 ** Name: Exfiltration
 ** ID: TA0010
-** Reference URL: https://attack.mitre.org/tactics/TA0011/
+** Reference URL: https://attack.mitre.org/tactics/TA0010/
 * Technique:
 ** Name: Exfiltration Over Alternative Protocol
 ** ID: T1048
@@ -80,6 +84,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[irc-internet-relay-chat-protocol-activity-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/kerberos-cached-credentials-dumping.asciidoc b/docs/detections/prebuilt-rules/rule-details/kerberos-cached-credentials-dumping.asciidoc
new file mode 100644
index 0000000000..a203eb8fe3
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/kerberos-cached-credentials-dumping.asciidoc
@@ -0,0 +1,64 @@
+[[kerberos-cached-credentials-dumping]]
+=== Kerberos Cached Credentials Dumping
+
+Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* auditbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py
+* https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html
+
+*Tags*:
+
+* Elastic
+* Host
+* macOS
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:kcc and process.args:copy_cred_cache
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc b/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc
index 8b646c099c..3485933348 100644
--- a/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc
@@ -29,13 +29,16 @@ the functionality of the kernel without the need to reboot the system.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<kernel-module-removal-history, version history>>)
+*Version*: 4 (<<kernel-module-removal-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -81,6 +84,9 @@ or "-r")))
 [[kernel-module-removal-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc b/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc
index ac41203ff0..acbe140b4c 100644
--- a/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/local-scheduled-task-commands.asciidoc
@@ -24,13 +24,16 @@ laterally, and/or escalate privileges.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Persistence
 
-*Version*: 4 (<<local-scheduled-task-commands-history, version history>>)
+*Version*: 5 (<<local-scheduled-task-commands-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -59,13 +62,16 @@ or -s or /S or /change or /create or /run)
 ** ID: TA0003
 ** Reference URL: https://attack.mitre.org/tactics/TA0003/
 * Technique:
-** Name: Scheduled Task
+** Name: Scheduled Task/Job
 ** ID: T1053
 ** Reference URL: https://attack.mitre.org/techniques/T1053/
 
 [[local-scheduled-task-commands-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc b/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc
index 52575d31ae..e3d305658a 100644
--- a/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/local-service-commands.asciidoc
@@ -25,13 +25,16 @@ commonly done by admins.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<local-service-commands-history, version history>>)
+*Version*: 5 (<<local-service-commands-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ start)
 [[local-service-commands-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/malware-detected-endpoint-security.asciidoc
similarity index 66%
rename from docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/malware-detected-endpoint-security.asciidoc
index c1b8d9a794..0689c12e0b 100644
--- a/docs/detections/prebuilt-rules/rule-details/malware-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/malware-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[malware-detected-elastic-endpoint-security]]
-=== Malware - Detected - Elastic Endpoint Security
+[[malware-detected-endpoint-security]]
+=== Malware - Detected - Endpoint Security
 
-Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<malware-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<malware-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:file_classification_event)
 ----------------------------------
 
 
-[[malware-detected-elastic-endpoint-security-history]]
+[[malware-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Malware - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Malware - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/malware-prevented-endpoint-security.asciidoc
similarity index 66%
rename from docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/malware-prevented-endpoint-security.asciidoc
index 2e8ed3d1ae..55e40550d2 100644
--- a/docs/detections/prebuilt-rules/rule-details/malware-prevented-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/malware-prevented-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[malware-prevented-elastic-endpoint-security]]
-=== Malware - Prevented - Elastic Endpoint Security
+[[malware-prevented-endpoint-security]]
+=== Malware - Prevented - Endpoint Security
 
-Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<malware-prevented-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<malware-prevented-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:file_classification_event)
 ----------------------------------
 
 
-[[malware-prevented-elastic-endpoint-security-history]]
+[[malware-prevented-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Malware - Prevented - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Malware - Prevented - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc
index d0786af59f..77236a2147 100644
--- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-loading-windows-credential-libraries.asciidoc
@@ -25,13 +25,16 @@ is sometimes used for credential dumping.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Credential Access
 
-*Version*: 3 (<<microsoft-build-engine-loading-windows-credential-libraries-history, version history>>)
+*Version*: 4 (<<microsoft-build-engine-loading-windows-credential-libraries-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -60,13 +63,16 @@ dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe
 ** ID: TA0006
 ** Reference URL: https://attack.mitre.org/tactics/TA0006/
 * Technique:
-** Name: Credential Dumping
+** Name: OS Credential Dumping
 ** ID: T1003
 ** Reference URL: https://attack.mitre.org/techniques/T1003/
 
 [[microsoft-build-engine-loading-windows-credential-libraries-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc
index e40a73fd09..8608a7f230 100644
--- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc
@@ -29,13 +29,16 @@ deploy a malicious payload using the Build Engine.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<microsoft-build-engine-started-an-unusual-process-history, version history>>)
+*Version*: 4 (<<microsoft-build-engine-started-an-unusual-process-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -71,6 +74,9 @@ iexplore.exe or powershell.exe)
 [[microsoft-build-engine-started-an-unusual-process-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc
index c2812e7b17..4d9faf53c1 100644
--- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc
@@ -25,13 +25,16 @@ by malicious payloads.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<microsoft-build-engine-started-by-a-script-process-history, version history>>)
+*Version*: 4 (<<microsoft-build-engine-started-by-a-script-process-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -60,7 +63,7 @@ powershell.exe or cscript.exe or wscript.exe)
 ** ID: TA0005
 ** Reference URL: https://attack.mitre.org/tactics/TA0005/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
@@ -70,13 +73,16 @@ powershell.exe or cscript.exe or wscript.exe)
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
 [[microsoft-build-engine-started-by-a-script-process-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc
index 5695b69f24..2f3bf7dfd5 100644
--- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-system-process.asciidoc
@@ -25,13 +25,16 @@ and is sometimes used by malicious payloads.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<microsoft-build-engine-started-by-a-system-process-history, version history>>)
+*Version*: 4 (<<microsoft-build-engine-started-by-a-system-process-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -60,7 +63,7 @@ wmiprvse.exe)
 ** ID: TA0005
 ** Reference URL: https://attack.mitre.org/tactics/TA0005/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
@@ -70,13 +73,16 @@ wmiprvse.exe)
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
 [[microsoft-build-engine-started-by-a-system-process-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc
index eeff77f844..490b5f03c0 100644
--- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-an-office-application.asciidoc
@@ -29,13 +29,16 @@ by an Excel or Word document executing a malicious script payload.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<microsoft-build-engine-started-by-an-office-application-history, version history>>)
+*Version*: 4 (<<microsoft-build-engine-started-by-an-office-application-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -65,7 +68,7 @@ powerpnt.exe or winword.exe)
 ** ID: TA0005
 ** Reference URL: https://attack.mitre.org/tactics/TA0005/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
@@ -75,13 +78,16 @@ powerpnt.exe or winword.exe)
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
 [[microsoft-build-engine-started-by-an-office-application-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc
index 01b622130c..463f2dadec 100644
--- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc
@@ -25,13 +25,16 @@ unnoticed or undetected.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<microsoft-build-engine-using-an-alternate-name-history, version history>>)
+*Version*: 4 (<<microsoft-build-engine-using-an-alternate-name-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -47,7 +50,7 @@ The Build Engine is commonly used by Windows developers but use by non-engineers
 [source,js]
 ----------------------------------
 event.category:process and event.type:(start or process_started) and
-(pe.original_file_name:MSBuild.exe or
+(process.pe.original_file_name:MSBuild.exe or
 winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name:
 MSBuild.exe
 ----------------------------------
@@ -68,6 +71,17 @@ MSBuild.exe
 [[microsoft-build-engine-using-an-alternate-name-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(pe.original_file_name:MSBuild.exe or
+winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name:
+MSBuild.exe
+----------------------------------
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-iis-connection-strings-decryption.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-iis-connection-strings-decryption.asciidoc
new file mode 100644
index 0000000000..030f9a2391
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-iis-connection-strings-decryption.asciidoc
@@ -0,0 +1,67 @@
+[[microsoft-iis-connection-strings-decryption]]
+=== Microsoft IIS Connection Strings Decryption
+
+Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 33
+
+*References*:
+
+* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/
+* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(process.name:aspnet_regiis.exe or
+process.pe.original_file_name:aspnet_regiis.exe or
+winlog.event_data.OriginalFileName:aspnet_regiis.exe) and
+process.args:(connectionStrings and "-pdf")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-iis-service-account-password-dumped.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-iis-service-account-password-dumped.asciidoc
new file mode 100644
index 0000000000..f04094f1e7
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/microsoft-iis-service-account-password-dumped.asciidoc
@@ -0,0 +1,66 @@
+[[microsoft-iis-service-account-password-dumped]]
+=== Microsoft IIS Service Account Password Dumped
+
+Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 33
+
+*References*:
+
+* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process AND event.type:(start OR process_started) AND
+(process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe
+or winlog.event_data.OriginalFileName:appcmd.exe) AND
+process.args:(/[lL][iI][sS][tT]/ AND
+/\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/mimikatz-memssp-log-file-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/mimikatz-memssp-log-file-detected.asciidoc
new file mode 100644
index 0000000000..984392e5d7
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/mimikatz-memssp-log-file-detected.asciidoc
@@ -0,0 +1,59 @@
+[[mimikatz-memssp-log-file-detected]]
+=== Mimikatz Memssp Log File Detected
+
+Identifies the password log file from the default Mimikatz memssp module.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Credential Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and file.name:mimilsa.log and
+process.name:lsass.exe
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: OS Credential Dumping
+** ID: T1003
+** Reference URL: https://attack.mitre.org/techniques/T1003/
diff --git a/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc
index 4cf21e1e1b..1fcfca8e08 100644
--- a/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/mknod-process-activity.asciidoc
@@ -24,18 +24,20 @@ when the traditional version of `netcat` is not available to the payload.
 
 *References*:
 
-* https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem
+* https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/
 
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<mknod-process-activity-history, version history>>)
+*Version*: 5 (<<mknod-process-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,6 +60,9 @@ process.name:mknod
 [[mknod-process-activity-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc
index 8bb425af53..ff82bea126 100644
--- a/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/modification-of-boot-configuration.asciidoc
@@ -24,13 +24,16 @@ attackers sometimes use this tactic as a destructive technique.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<modification-of-boot-configuration-history, version history>>)
+*Version*: 4 (<<modification-of-boot-configuration-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -62,6 +65,9 @@ and ignoreallfailures or no and recoveryenabled))
 [[modification-of-boot-configuration-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc
index 66d66530a3..5b392d4a76 100644
--- a/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc
@@ -9,6 +9,7 @@ application in order to remove or weaken an organization's security controls.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: medium
 
@@ -28,15 +29,18 @@ application in order to remove or weaken an organization's security controls.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<modification-or-removal-of-an-okta-application-sign-on-policy-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -56,6 +60,20 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
+event.dataset:okta.system and
+event.action:(application.policy.sign_on.update or
+application.policy.sign_on.rule.delete)
+----------------------------------
+
+
+[[modification-or-removal-of-an-okta-application-sign-on-policy-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.module:okta and event.dataset:okta.system and
 event.action:(application.policy.sign_on.update or
 application.policy.sign_on.rule.delete)
diff --git a/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc
index a56f27e933..737c043d9b 100644
--- a/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/msbuild-making-network-connections.asciidoc
@@ -5,7 +5,7 @@ Identifies `MsBuild.exe` making outbound network connections. This may indicate
 adversarial activity as MsBuild is often leveraged by adversaries to execute
 code and evade detection.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -25,13 +25,16 @@ code and evade detection.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<msbuild-making-network-connections-history, version history>>)
+*Version*: 5 (<<msbuild-making-network-connections-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -42,8 +45,10 @@ code and evade detection.
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or "::1")
+sequence by process.entity_id [process where process.name :
+"MSBuild.exe" and event.type == "start"] [network where process.name
+: "MSBuild.exe" and not cidrmatch(destination.ip, "127.0.0.1",
+"::1")]
 ----------------------------------
 
 ==== Threat mapping
@@ -55,13 +60,22 @@ process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or "::1")
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
 [[msbuild-making-network-connections-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or "::1")
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/msbuild-network-connection-sequence.asciidoc b/docs/detections/prebuilt-rules/rule-details/msbuild-network-connection-sequence.asciidoc
new file mode 100644
index 0000000000..390fae466c
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/msbuild-network-connection-sequence.asciidoc
@@ -0,0 +1,58 @@
+[[msbuild-network-connection-sequence]]
+=== MsBuild Network Connection Sequence
+
+Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Windows
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id [process where event.type in ("start",
+"process_started") and process.name == "MSBuild.exe"] [network where
+process.name == "MSBuild.exe" and not (destination.address ==
+"127.0.0.1" and source.address == "127.0.0.1")]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Trusted Developer Utilities Proxy Execution
+** ID: T1127
+** Reference URL: https://attack.mitre.org/techniques/T1127/
diff --git a/docs/detections/prebuilt-rules/rule-details/mshta-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/rule-details/mshta-making-network-connections.asciidoc
new file mode 100644
index 0000000000..4d57470cda
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/mshta-making-network-connections.asciidoc
@@ -0,0 +1,66 @@
+[[mshta-making-network-connections]]
+=== Mshta Making Network Connections
+
+Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id with maxspan=2h [process where
+event.type in ("start", "process_started") and process.name :
+"mshta.exe" and not process.parent.name :
+"Microsoft.ConfigurationManagement.exe" and not
+(process.parent.executable : "C:\\Amazon\\Amazon
+Assistant\\amazonAssistantService.exe" or
+process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
+not process.args : "ADSelfService_Enroll.hta"] [network where
+process.name : "mshta.exe"]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Mshta
+** ID: T1170
+** Reference URL: https://attack.mitre.org/techniques/T1170/
diff --git a/docs/detections/prebuilt-rules/rule-details/msxsl-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/rule-details/msxsl-making-network-connections.asciidoc
new file mode 100644
index 0000000000..5055907971
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/msxsl-making-network-connections.asciidoc
@@ -0,0 +1,58 @@
+[[msxsl-making-network-connections]]
+=== MsXsl Making Network Connections
+
+Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Windows
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id [process where event.type in ("start",
+"process_started") and process.name == "msxsl.exe"] [network where
+event.type == "connection" and process.name == "msxsl.exe" and
+network.direction == "outgoing"]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: XSL Script Processing
+** ID: T1220
+** Reference URL: https://attack.mitre.org/techniques/T1220/
diff --git a/docs/detections/prebuilt-rules/rule-details/multi-factor-authentication-disabled-for-an-azure-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/multi-factor-authentication-disabled-for-an-azure-user.asciidoc
new file mode 100644
index 0000000000..15176dc319
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/multi-factor-authentication-disabled-for-an-azure-user.asciidoc
@@ -0,0 +1,64 @@
+[[multi-factor-authentication-disabled-for-an-azure-user]]
+=== Multi-Factor Authentication Disabled for an Azure User
+
+Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.auditlogs and
+azure.auditlogs.operation_name:"Disable Strong Authentication" and
+event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc
index c54d830d67..137c939e9c 100644
--- a/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/net-command-via-system-account.asciidoc
@@ -25,13 +25,16 @@ for control of users, groups, services, and network connections.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Discovery
 
-*Version*: 3 (<<net-command-via-system-account-history, version history>>)
+*Version*: 4 (<<net-command-via-system-account-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -43,7 +46,7 @@ for control of users, groups, services, and network connections.
 [source,js]
 ----------------------------------
 event.category:process and event.type:(start or process_started) and
-(process.name:net.exe or process.name:net1.exe and not
+(process.name:(whoami.exe or net.exe) or process.name:net1.exe and not
 process.parent.name:net.exe) and user.name:SYSTEM
 ----------------------------------
 
@@ -63,6 +66,16 @@ process.parent.name:net.exe) and user.name:SYSTEM
 [[net-command-via-system-account-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(process.name:net.exe or process.name:net1.exe and not
+process.parent.name:net.exe) and user.name:SYSTEM
+----------------------------------
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc
index c54b3d8b9c..d6151f761f 100644
--- a/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/netcat-network-activity.asciidoc
@@ -6,7 +6,7 @@ often used as a persistence mechanism by exporting a reverse shell or by serving
 a shell on a listening port. Netcat is also sometimes used for data
 exfiltration.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -32,13 +32,15 @@ exfiltration.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<netcat-network-activity-history, version history>>)
+*Version*: 5 (<<netcat-network-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -53,15 +55,29 @@ Netcat is a dual-use tool that can be used for benign or malicious activity. Net
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:(access or connection or start)
-and process.name:(nc or ncat or netcat or netcat.openbsd or
-netcat.traditional)
+sequence by process.entity_id [process where (process.name == "nc"
+or process.name == "ncat" or process.name == "netcat" or
+process.name == "netcat.openbsd" or process.name ==
+"netcat.traditional") and event.type == "start"] [network where
+(process.name == "nc" or process.name == "ncat" or process.name ==
+"netcat" or process.name == "netcat.openbsd" or
+process.name == "netcat.traditional")]
 ----------------------------------
 
 
 [[netcat-network-activity-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:(access or connection or start)
+and process.name:(nc or ncat or netcat or netcat.openbsd or
+netcat.traditional)
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc
index 72149577c0..28677db7b8 100644
--- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc
@@ -4,7 +4,7 @@
 Identifies `certutil.exe` making a network connection. Adversaries could abuse
 `certutil.exe` to download a certificate or malware from a remote URL.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -24,13 +24,16 @@ Identifies `certutil.exe` making a network connection. Adversaries could abuse
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Command and Control
 
-*Version*: 3 (<<network-connection-via-certutil-history, version history>>)
+*Version*: 4 (<<network-connection-via-certutil-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -41,9 +44,10 @@ Identifies `certutil.exe` making a network connection. Adversaries could abuse
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or
-172.16.0.0/12 or 192.168.0.0/16)
+sequence by process.entity_id [process where process.name :
+"certutil.exe" and event.type == "start"] [network where
+process.name : "certutil.exe" and not cidrmatch(destination.ip,
+"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")]
 ----------------------------------
 
 ==== Threat mapping
@@ -55,13 +59,23 @@ process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or
 ** ID: TA0011
 ** Reference URL: https://attack.mitre.org/tactics/TA0011/
 * Technique:
-** Name: Remote File Copy
+** Name: Ingress Tool Transfer
 ** ID: T1105
 ** Reference URL: https://attack.mitre.org/techniques/T1105/
 
 [[network-connection-via-certutil-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or
+172.16.0.0/12 or 192.168.0.0/16)
+----------------------------------
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc
index 2a5cc15e0f..c9c7719133 100644
--- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-compiled-html-file.asciidoc
@@ -6,7 +6,7 @@ HTML Help system. Adversaries may conceal malicious code in a CHM file and
 deliver it to a victim for execution. CHM content is loaded by the HTML Help
 executable program (`hh.exe`).
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -26,13 +26,16 @@ executable program (`hh.exe`).
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<network-connection-via-compiled-html-file-history, version history>>)
+*Version*: 5 (<<network-connection-via-compiled-html-file-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -43,9 +46,10 @@ executable program (`hh.exe`).
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:hh.exe and not destination.ip:(10.0.0.0/8 or
-172.16.0.0/12 or 192.168.0.0/16)
+sequence by process.entity_id [process where process.name : "hh.exe"
+and event.type == "start"] [network where process.name : "hh.exe"
+and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12",
+"192.168.0.0/16")]
 ----------------------------------
 
 ==== Threat mapping
@@ -74,6 +78,16 @@ process.name:hh.exe and not destination.ip:(10.0.0.0/8 or
 [[network-connection-via-compiled-html-file-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:hh.exe and not destination.ip:(10.0.0.0/8 or
+172.16.0.0/12 or 192.168.0.0/16)
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc
index ee9ab0df8d..39d5c8db4e 100644
--- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-msxsl.asciidoc
@@ -5,7 +5,7 @@ Identifies `msxsl.exe` making a network connection. This may indicate
 adversarial activity as `msxsl.exe` is often leveraged by adversaries to
 execute malicious scripts and evade detection.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -25,13 +25,16 @@ execute malicious scripts and evade detection.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 3 (<<network-connection-via-msxsl-history, version history>>)
+*Version*: 4 (<<network-connection-via-msxsl-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -42,9 +45,10 @@ execute malicious scripts and evade detection.
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or
-172.16.0.0/12 or 192.168.0.0/16)
+sequence by process.entity_id [process where process.name :
+"msxsl.exe" and event.type == "start"] [network where process.name :
+"msxsl.exe" and not cidrmatch(destination.ip, "10.0.0.0/8",
+"172.16.0.0/12", "192.168.0.0/16")]
 ----------------------------------
 
 ==== Threat mapping
@@ -63,6 +67,16 @@ process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or
 [[network-connection-via-msxsl-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or
+172.16.0.0/12 or 192.168.0.0/16)
+----------------------------------
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-regsvr.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-registration-utility.asciidoc
similarity index 61%
rename from docs/detections/prebuilt-rules/rule-details/network-connection-via-regsvr.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/network-connection-via-registration-utility.asciidoc
index d4915609f9..4ac73e5ef3 100644
--- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-regsvr.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-registration-utility.asciidoc
@@ -1,11 +1,9 @@
-[[network-connection-via-regsvr]]
-=== Network Connection via Regsvr
+[[network-connection-via-registration-utility]]
+=== Network Connection via Registration Utility
 
-Identifies the native Windows tools `regsvr32.exe` and `regsvr64.exe` making a
-network connection. This may be indicative of an attacker bypassing allowlists
-or running arbitrary scripts via a signed Microsoft binary.
+Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -25,13 +23,16 @@ or running arbitrary scripts via a signed Microsoft binary.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<network-connection-via-regsvr-history, version history>>)
+*Version*: 5 (<<network-connection-via-registration-utility-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,10 +47,14 @@ Security testing may produce events like this. Activity of this kind performed b
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:(regsvr32.exe or regsvr64.exe) and not
-destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or
-192.168.0.0/16)
+sequence by process.entity_id [process where (process.name :
+"regsvr32.exe" or process.name : "regsvr64.exe" or
+process.name : "RegAsm.exe" or process.name : "RegSvcs.exe") and
+event.type == "start"] [network where (process.name : "regsvr32.exe"
+or process.name : "regsvr64.exe" or process.name :
+"RegAsm.exe" or process.name : "RegSvcs.exe") and not
+cidrmatch(destination.ip, "10.0.0.0/8", "169.254.169.254",
+"172.16.0.0/12", "192.168.0.0/16")]
 ----------------------------------
 
 ==== Threat mapping
@@ -71,13 +76,26 @@ destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or
 ** ID: TA0005
 ** Reference URL: https://attack.mitre.org/tactics/TA0005/
 * Technique:
-** Name: Regsvr32
-** ID: T1117
-** Reference URL: https://attack.mitre.org/techniques/T1117/
+** Name: Signed Binary Proxy Execution
+** ID: T1218
+** Reference URL: https://attack.mitre.org/techniques/T1218/
 
-[[network-connection-via-regsvr-history]]
+[[network-connection-via-registration-utility-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Rule name changed from: Network Connection via Regsvr
++
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:(regsvr32.exe or regsvr64.exe) and not
+destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or
+192.168.0.0/16)
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc
index c0e9ba034e..266b7a644d 100644
--- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc
@@ -6,7 +6,7 @@ protected by digital signature validation. Adversaries may use these binaries to
 'live off the land' and execute malicious files that could bypass application
 allowlists and signature validation.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -26,13 +26,16 @@ allowlists and signature validation.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<network-connection-via-signed-binary-history, version history>>)
+*Version*: 5 (<<network-connection-via-signed-binary-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -43,9 +46,14 @@ allowlists and signature validation.
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe)
-and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+sequence by process.entity_id [process where (process.name :
+"expand.exe" or process.name : "extrac.exe" or
+process.name : "ieexec.exe" or process.name : "makecab.exe") and
+event.type == "start"] [network where (process.name : "expand.exe"
+or process.name : "extrac.exe" or process.name :
+"ieexec.exe" or process.name : "makecab.exe") and not
+cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12",
+"192.168.0.0/16")]
 ----------------------------------
 
 ==== Threat mapping
@@ -74,6 +82,16 @@ and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 [[network-connection-via-signed-binary-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe)
+and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc
index a44d5e2c8f..f54dece94d 100644
--- a/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/network-sniffing-via-tcpdump.asciidoc
@@ -26,13 +26,16 @@ prelude to lateral movement or defense evasion.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Credential Access
 
-*Version*: 4 (<<network-sniffing-via-tcpdump-history, version history>>)
+*Version*: 5 (<<network-sniffing-via-tcpdump-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -77,6 +80,9 @@ process.name:tcpdump
 [[network-sniffing-via-tcpdump-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc
index 4d13c46fd7..1b9143da11 100644
--- a/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/nmap-process-activity.asciidoc
@@ -30,13 +30,15 @@ support of exploitation, execution or lateral movement.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<nmap-process-activity-history, version history>>)
+*Version*: 5 (<<nmap-process-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -59,6 +61,9 @@ process.name:nmap
 [[nmap-process-activity-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc
index 3bb74d53e9..cb57bc8042 100644
--- a/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc
@@ -29,13 +29,15 @@ applications, including denial of service testing.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<nping-process-activity-history, version history>>)
+*Version*: 5 (<<nping-process-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,6 +60,9 @@ process.name:nping
 [[nping-process-activity-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc b/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc
index 5f24b11d76..e81e7483db 100644
--- a/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc
@@ -8,6 +8,7 @@ Identifies a high number of failed Okta user authentication attempts from a sing
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: medium
 
@@ -27,15 +28,18 @@ Identifies a high number of failed Okta user authentication attempts from a sing
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Identity and Access
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<okta-brute-force-or-password-spraying-attack-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -53,8 +57,8 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
-event.category:authentication and event.outcome:failure
+event.dataset:okta.system and event.category:authentication and
+event.outcome:failure
 ----------------------------------
 
 ==== Threat mapping
@@ -69,3 +73,16 @@ event.category:authentication and event.outcome:failure
 ** Name: Brute Force
 ** ID: T1110
 ** Reference URL: https://attack.mitre.org/techniques/T1110/
+
+[[okta-brute-force-or-password-spraying-attack-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.category:authentication and event.outcome:failure
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-endpoint-security.asciidoc
similarity index 64%
rename from docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/permission-theft-detected-endpoint-security.asciidoc
index ba151a128c..7ff229fde3 100644
--- a/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/permission-theft-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[permission-theft-detected-elastic-endpoint-security]]
-=== Permission Theft - Detected - Elastic Endpoint Security
+[[permission-theft-detected-endpoint-security]]
+=== Permission Theft - Detected - Endpoint Security
 
-Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<permission-theft-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<permission-theft-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:token_protection_event)
 ----------------------------------
 
 
-[[permission-theft-detected-elastic-endpoint-security-history]]
+[[permission-theft-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Permission Theft - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Permission Theft - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-endpoint-security.asciidoc
similarity index 64%
rename from docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-endpoint-security.asciidoc
index db694e1252..94fc81d46b 100644
--- a/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/permission-theft-prevented-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[permission-theft-prevented-elastic-endpoint-security]]
-=== Permission Theft - Prevented - Elastic Endpoint Security
+[[permission-theft-prevented-endpoint-security]]
+=== Permission Theft - Prevented - Endpoint Security
 
-Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<permission-theft-prevented-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<permission-theft-prevented-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:token_protection_event)
 ----------------------------------
 
 
-[[permission-theft-prevented-elastic-endpoint-security-history]]
+[[permission-theft-prevented-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Permission Theft - Prevented - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Permission Theft - Prevented - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc
index 2a2e1f31f4..d42cb87e54 100644
--- a/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-kernel-module-modification.asciidoc
@@ -28,13 +28,16 @@ potential persistence attempts.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Persistence
 
-*Version*: 4 (<<persistence-via-kernel-module-modification-history, version history>>)
+*Version*: 5 (<<persistence-via-kernel-module-modification-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -69,6 +72,9 @@ process.name:(insmod or kmod or modprobe or rmod)
 [[persistence-via-kernel-module-modification-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc
new file mode 100644
index 0000000000..3bd0f4e6f3
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc
@@ -0,0 +1,66 @@
+[[persistence-via-telemetrycontroller-scheduled-task-hijack]]
+=== Persistence via TelemetryController Scheduled Task Hijack
+
+Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Persistence
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and
+not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe
+or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or
+dismhost.exe or rundll32.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Scheduled Task/Job
+** ID: T1053
+** Reference URL: https://attack.mitre.org/techniques/T1053/
diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc
new file mode 100644
index 0000000000..adcc42f308
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc
@@ -0,0 +1,66 @@
+[[persistence-via-update-orchestrator-service-hijack]]
+=== Persistence via Update Orchestrator Service Hijack
+
+Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://github.com/irsl/CVE-2020-1313
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Persistence
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.parent.name:svchost.exe and process.parent.args:(UsoSvc or
+usosvc) and not process.name:(UsoClient.exe or usoclient.exe or
+MusNotification.exe or musnotification.exe or MusNotificationUx.exe or
+musnotificationux.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: New Service
+** ID: T1050
+** Reference URL: https://attack.mitre.org/techniques/T1050/
diff --git a/docs/detections/prebuilt-rules/rule-details/possible-consent-grant-attack-via-azure-registered-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/possible-consent-grant-attack-via-azure-registered-application.asciidoc
new file mode 100644
index 0000000000..6bb9b6c920
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/possible-consent-grant-attack-via-azure-registered-application.asciidoc
@@ -0,0 +1,82 @@
+[[possible-consent-grant-attack-via-azure-registered-application]]
+=== Possible Consent Grant Attack via Azure-Registered Application
+
+Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+- The Azure Filebeat module must be enabled to use this rule.
+- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.
+- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.
+- Security analysts should review the list of trusted applications for any suspicious items.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:(azure.activitylogs or azure.auditlogs) and (
+azure.activitylogs.operation_name:"Consent to application" or
+azure.auditlogs.operation_name:"Consent to application" ) and
+event.outcome:success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Spearphishing Link
+** ID: T1192
+** Reference URL: https://attack.mitre.org/techniques/T1192/
+
+
+* Tactic:
+** Name: Credential Access
+** ID: TA0006
+** Reference URL: https://attack.mitre.org/tactics/TA0006/
+* Technique:
+** Name: Steal Application Access Token
+** ID: T1528
+** Reference URL: https://attack.mitre.org/techniques/T1528/
diff --git a/docs/detections/prebuilt-rules/rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc b/docs/detections/prebuilt-rules/rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc
new file mode 100644
index 0000000000..179afdf5d6
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc
@@ -0,0 +1,71 @@
+[[possible-fin7-dga-command-and-control-behavior]]
+=== Possible FIN7 DGA Command and Control Behavior
+
+This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* packetbeat-*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
+
+*Tags*:
+
+* Elastic
+* Network
+* Threat Detection
+* Command and Control
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations.
+
+==== Investigation guide
+
+In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:(network OR network_traffic) AND type:(tls OR http) AND
+network.transport:tcp AND
+destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT
+destination.domain:zoom.us
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Command and Control
+** ID: TA0011
+** Reference URL: https://attack.mitre.org/tactics/TA0011/
+* Technique:
+** Name: Domain Generation Algorithms
+** ID: T1483
+** Reference URL: https://attack.mitre.org/techniques/T1483/
diff --git a/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc b/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc
index 5a7c46cdc3..c2dbe32b64 100644
--- a/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc
@@ -9,6 +9,7 @@ performing a denial of service (DoS) attack against its Okta infrastructure.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: medium
 
@@ -28,15 +29,18 @@ performing a denial of service (DoS) attack against its Okta infrastructure.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<possible-okta-dos-attack-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -50,7 +54,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
+event.dataset:okta.system and
 event.action:(application.integration.rate_limit_exceeded or
 system.org.rate_limit.warning or system.org.rate_limit.violation or
 core.concurrency.org.limit.violation)
@@ -68,3 +72,18 @@ core.concurrency.org.limit.violation)
 ** Name: Network Denial of Service
 ** ID: T1498
 ** Reference URL: https://attack.mitre.org/techniques/T1498/
+
+[[possible-okta-dos-attack-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:(application.integration.rate_limit_exceeded or
+system.org.rate_limit.warning or system.org.rate_limit.violation or
+core.concurrency.org.limit.violation)
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc
index dfa0631e86..2e291db576 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-application-shimming-via-sdbinst.asciidoc
@@ -11,6 +11,7 @@ execution in legitimate Windows processes.
 *Rule indices*:
 
 * winlogbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -25,13 +26,16 @@ execution in legitimate Windows processes.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Persistence
 
-*Version*: 3 (<<potential-application-shimming-via-sdbinst-history, version history>>)
+*Version*: 4 (<<potential-application-shimming-via-sdbinst-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -42,7 +46,8 @@ execution in legitimate Windows processes.
 
 [source,js]
 ----------------------------------
-event.code:1 and process.name:sdbinst.exe
+event.category:process and event.type:(start or process_started) and
+process.name:sdbinst.exe
 ----------------------------------
 
 ==== Threat mapping
@@ -71,6 +76,14 @@ event.code:1 and process.name:sdbinst.exe
 [[potential-application-shimming-via-sdbinst-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:1 and process.name:sdbinst.exe
+----------------------------------
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc
index 14324d0348..3db906d5d3 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc
@@ -26,13 +26,16 @@ tools and activities.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<potential-disabling-of-selinux-history, version history>>)
+*Version*: 4 (<<potential-disabling-of-selinux-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ process.name:setenforce and process.args:0
 [[potential-disabling-of-selinux-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc
new file mode 100644
index 0000000000..facbbf3f70
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc
@@ -0,0 +1,68 @@
+[[potential-dll-sideloading-via-trusted-microsoft-programs]]
+=== Potential DLL SideLoading via Trusted Microsoft Programs
+
+Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or
+w3wp.exe or DISM.EXE) or
+winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or
+w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or
+WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or
+process.executable:("C:\Windows\explorer.exe" or
+C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or C\
+:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE
+or "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or
+"C:\Windows\System32\inetsrv\w3wp.exe"))
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Masquerading
+** ID: T1036
+** Reference URL: https://attack.mitre.org/techniques/T1036/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc
index 14d723cb45..01e50e6559 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-iodine.asciidoc
@@ -29,13 +29,15 @@ access lists while evading detection.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<potential-dns-tunneling-via-iodine-history, version history>>)
+*Version*: 5 (<<potential-dns-tunneling-via-iodine-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,6 +60,9 @@ process.name:(iodine or iodined)
 [[potential-dns-tunneling-via-iodine-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc
index 3fb15c8b02..b693c9c37a 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-evasion-via-filter-manager.asciidoc
@@ -9,6 +9,7 @@ adversaries to unload a filter driver and evade defenses.
 *Rule indices*:
 
 * winlogbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -23,13 +24,16 @@ adversaries to unload a filter driver and evade defenses.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<potential-evasion-via-filter-manager-history, version history>>)
+*Version*: 4 (<<potential-evasion-via-filter-manager-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -40,7 +44,8 @@ adversaries to unload a filter driver and evade defenses.
 
 [source,js]
 ----------------------------------
-event.code:1 and process.name:fltMC.exe
+event.category:process and event.type:(start or process_started) and
+process.name:fltMC.exe
 ----------------------------------
 
 ==== Threat mapping
@@ -59,6 +64,14 @@ event.code:1 and process.name:fltMC.exe
 [[potential-evasion-via-filter-manager-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:1 and process.name:fltMC.exe
+----------------------------------
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc
index dc6379cf7d..bf5faa71a0 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-modification-of-accessibility-binaries.asciidoc
@@ -11,6 +11,7 @@ the system.
 *Rule indices*:
 
 * winlogbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -25,13 +26,16 @@ the system.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Persistence
 
-*Version*: 3 (<<potential-modification-of-accessibility-binaries-history, version history>>)
+*Version*: 4 (<<potential-modification-of-accessibility-binaries-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -42,9 +46,10 @@ the system.
 
 [source,js]
 ----------------------------------
-event.code:1 and process.parent.name:winlogon.exe and
-process.name:(atbroker.exe or displayswitch.exe or magnify.exe or
-narrator.exe or osk.exe or sethc.exe or utilman.exe)
+event.category:process and event.type:(start or process_started) and
+process.parent.name:winlogon.exe and not process.name:(atbroker.exe or
+displayswitch.exe or magnify.exe or narrator.exe or osk.exe or
+sethc.exe or utilman.exe)
 ----------------------------------
 
 ==== Threat mapping
@@ -73,6 +78,16 @@ narrator.exe or osk.exe or sethc.exe or utilman.exe)
 [[potential-modification-of-accessibility-binaries-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:1 and process.parent.name:winlogon.exe and
+process.name:(atbroker.exe or displayswitch.exe or magnify.exe or
+narrator.exe or osk.exe or sethc.exe or utilman.exe)
+----------------------------------
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc
new file mode 100644
index 0000000000..b5bd210436
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc
@@ -0,0 +1,62 @@
+[[potential-secure-file-deletion-via-sdelete-utility]]
+=== Potential Secure File Deletion via SDelete Utility
+
+Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+Verify process details such as command line and hash to confirm this activity legitimacy.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file AND event.type:change AND file.name:/.+A+\.AAA/
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: File Deletion
+** ID: T1107
+** Reference URL: https://attack.mitre.org/techniques/T1107/
diff --git a/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc
index 4c19d24d9b..a512b20abe 100644
--- a/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/potential-shell-via-web-server.asciidoc
@@ -28,13 +28,16 @@ vulnerability and remote shell access.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Persistence
 
-*Version*: 5 (<<potential-shell-via-web-server-history, version history>>)
+*Version*: 6 (<<potential-shell-via-web-server-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -70,6 +73,9 @@ process.name:(bash or dash) and user.name:(apache or nginx or www or
 [[potential-shell-via-web-server-history]]
 ==== Rule version history
 
+Version 6 (7.10.0 release)::
+* Formatting only
+
 Version 5 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc
index 407a23149e..c1dc6c7c2d 100644
--- a/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/powershell-spawning-cmd.asciidoc
@@ -24,13 +24,16 @@ descending from `PowerShell.exe`.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<powershell-spawning-cmd-history, version history>>)
+*Version*: 5 (<<powershell-spawning-cmd-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -54,7 +57,7 @@ process.parent.name:powershell.exe and process.name:cmd.exe
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Command-Line Interface
+** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
 
@@ -71,6 +74,9 @@ process.parent.name:powershell.exe and process.name:cmd.exe
 [[powershell-spawning-cmd-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc
index 6648a34782..c97f3cb599 100644
--- a/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/pptp-point-to-point-tunneling-protocol-activity.asciidoc
@@ -11,6 +11,7 @@ detection.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -25,13 +26,16 @@ detection.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 3 (<<pptp-point-to-point-tunneling-protocol-activity-history, version history>>)
+*Version*: 4 (<<pptp-point-to-point-tunneling-protocol-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -66,6 +70,9 @@ and destination.port:1723
 [[pptp-point-to-point-tunneling-protocol-activity-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc
index 1f4ab67f73..8fb74044eb 100644
--- a/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/process-activity-via-compiled-html-file.asciidoc
@@ -11,6 +11,7 @@ executable program (`hh.exe`).
 *Rule indices*:
 
 * winlogbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -25,13 +26,16 @@ executable program (`hh.exe`).
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 3 (<<process-activity-via-compiled-html-file-history, version history>>)
+*Version*: 4 (<<process-activity-via-compiled-html-file-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,7 +50,8 @@ The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled
 
 [source,js]
 ----------------------------------
-event.code:1 and process.name:hh.exe
+event.category:process and event.type:(start or process_started) and
+process.name:hh.exe
 ----------------------------------
 
 ==== Threat mapping
@@ -75,6 +80,14 @@ event.code:1 and process.name:hh.exe
 [[process-activity-via-compiled-html-file-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:1 and process.name:hh.exe
+----------------------------------
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc
index 45232e1e5c..84f6c3963f 100644
--- a/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/process-discovery-via-tasklist.asciidoc
@@ -8,6 +8,7 @@ Adversaries may attempt to get information about running processes on a system.
 *Rule indices*:
 
 * winlogbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -22,13 +23,16 @@ Adversaries may attempt to get information about running processes on a system.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Discovery
 
-*Version*: 3 (<<process-discovery-via-tasklist-history, version history>>)
+*Version*: 4 (<<process-discovery-via-tasklist-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -43,7 +47,8 @@ Administrators may use the tasklist command to display a list of currently runni
 
 [source,js]
 ----------------------------------
-event.code:1 and process.name:tasklist.exe
+event.category:process and event.type:(start or process_started) and
+process.name:tasklist.exe
 ----------------------------------
 
 ==== Threat mapping
@@ -62,6 +67,14 @@ event.code:1 and process.name:tasklist.exe
 [[process-discovery-via-tasklist-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:1 and process.name:tasklist.exe
+----------------------------------
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc
index 256bbedb63..2ed9b88bda 100644
--- a/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc
@@ -24,13 +24,16 @@ privileges.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 2 (<<process-injection-by-the-microsoft-build-engine-history, version history>>)
+*Version*: 3 (<<process-injection-by-the-microsoft-build-engine-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -75,6 +78,9 @@ process.name:MSBuild.exe and event.action:"CreateRemoteThread detected
 [[process-injection-by-the-microsoft-build-engine-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-detected-endpoint-security.asciidoc
similarity index 64%
rename from docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/process-injection-detected-endpoint-security.asciidoc
index acf5d482e2..89450c921e 100644
--- a/docs/detections/prebuilt-rules/rule-details/process-injection-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/process-injection-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[process-injection-detected-elastic-endpoint-security]]
-=== Process Injection - Detected - Elastic Endpoint Security
+[[process-injection-detected-endpoint-security]]
+=== Process Injection - Detected - Endpoint Security
 
-Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<process-injection-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<process-injection-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:kernel_shellcode_event)
 ----------------------------------
 
 
-[[process-injection-detected-elastic-endpoint-security-history]]
+[[process-injection-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Process Injection - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Process Injection - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-endpoint-security.asciidoc
similarity index 64%
rename from docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/process-injection-prevented-endpoint-security.asciidoc
index 3ea09b44f2..cc3afc445f 100644
--- a/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/process-injection-prevented-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[process-injection-prevented-elastic-endpoint-security]]
-=== Process Injection - Prevented - Elastic Endpoint Security
+[[process-injection-prevented-endpoint-security]]
+=== Process Injection - Prevented - Endpoint Security
 
-Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoin
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<process-injection-prevented-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<process-injection-prevented-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -46,9 +46,11 @@ endgame.event_subtype_full:kernel_shellcode_event)
 ----------------------------------
 
 
-[[process-injection-prevented-elastic-endpoint-security-history]]
+[[process-injection-prevented-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Process Injection - Prevented - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Process Injection - Prevented - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/process-potentially-masquerading-as-werfault.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-potentially-masquerading-as-werfault.asciidoc
new file mode 100644
index 0000000000..d67caa3e07
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/process-potentially-masquerading-as-werfault.asciidoc
@@ -0,0 +1,69 @@
+[[process-potentially-masquerading-as-werfault]]
+=== Process Potentially Masquerading as WerFault
+
+Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://twitter.com/SBousseaden/status/1235533224337641473
+* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Legit Application Crash with rare Werfault commandline value
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:WerFault.exe and not process.args:((("-u" or "-pss") and
+"-p" and "-s") or ("/h" and "/shared") or ("-k" and "-lcq"))
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Masquerading
+** ID: T1036
+** Reference URL: https://attack.mitre.org/techniques/T1036/
diff --git a/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc
index e0c7b8863e..8f0bdb9813 100644
--- a/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/proxy-port-activity-to-the-internet.asciidoc
@@ -12,6 +12,7 @@ circumvent network controls and detection mechanisms.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -26,13 +27,16 @@ circumvent network controls and detection mechanisms.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<proxy-port-activity-to-the-internet-history, version history>>)
+*Version*: 5 (<<proxy-port-activity-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +87,9 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
 [[proxy-port-activity-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc
index 68f48de0be..09e43648c1 100644
--- a/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc
@@ -4,7 +4,7 @@
 Identifies use of the SysInternals tool `PsExec.exe` making a network
 connection. This could be an indication of lateral movement.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -24,13 +24,16 @@ connection. This could be an indication of lateral movement.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<psexec-network-connection-history, version history>>)
+*Version*: 5 (<<psexec-network-connection-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,8 +48,9 @@ PsExec is a dual-use tool that can be used for benign or malicious activity. It'
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:PsExec.exe
+sequence by process.entity_id [process where process.name :
+"PsExec.exe" and event.type == "start"] [network where process.name
+: "PsExec.exe"]
 ----------------------------------
 
 ==== Threat mapping
@@ -75,6 +79,15 @@ process.name:PsExec.exe
 [[psexec-network-connection-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:PsExec.exe
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/public-ip-reconnaissance-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/public-ip-reconnaissance-activity.asciidoc
new file mode 100644
index 0000000000..846deffbf9
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/public-ip-reconnaissance-activity.asciidoc
@@ -0,0 +1,74 @@
+[[public-ip-reconnaissance-activity]]
+=== Public IP Reconnaissance Activity
+
+Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* packetbeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation
+* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
+
+*Tags*:
+
+* Elastic
+* Network
+* Threat Detection
+* Discovery
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables.
+
+==== Investigation guide
+
+This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:network AND event.type:connection AND
+server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me
+OR icanhazip.com OR myexternalip.com OR api.ipify.org OR
+bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT
+http.response.status_code:302 AND status:OK AND NOT
+_exists_:http.request.referrer
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Network Configuration Discovery
+** ID: T1016
+** Reference URL: https://attack.mitre.org/techniques/T1016/
diff --git a/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/ransomware-detected-endpoint-security.asciidoc
similarity index 65%
rename from docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/ransomware-detected-endpoint-security.asciidoc
index 16ec66cf60..9778f1f3f9 100644
--- a/docs/detections/prebuilt-rules/rule-details/ransomware-detected-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ransomware-detected-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[ransomware-detected-elastic-endpoint-security]]
-=== Ransomware - Detected - Elastic Endpoint Security
+[[ransomware-detected-endpoint-security]]
+=== Ransomware - Detected - Endpoint Security
 
-Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Securi
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<ransomware-detected-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<ransomware-detected-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +45,11 @@ endgame.event_subtype_full:ransomware_event)
 ----------------------------------
 
 
-[[ransomware-detected-elastic-endpoint-security-history]]
+[[ransomware-detected-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Ransomware - Detected - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Ransomware - Detected - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-endpoint-security.asciidoc
similarity index 65%
rename from docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc
rename to docs/detections/prebuilt-rules/rule-details/ransomware-prevented-endpoint-security.asciidoc
index d13fa8c56b..b321278d7c 100644
--- a/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-elastic-endpoint-security.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ransomware-prevented-endpoint-security.asciidoc
@@ -1,7 +1,7 @@
-[[ransomware-prevented-elastic-endpoint-security]]
-=== Ransomware - Prevented - Elastic Endpoint Security
+[[ransomware-prevented-endpoint-security]]
+=== Ransomware - Prevented - Endpoint Security
 
-Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
+Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.
 
 *Rule type*: query
 
@@ -22,13 +22,13 @@ Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Secur
 *Tags*:
 
 * Elastic
-* Endpoint
+* Endpoint Security
 
-*Version*: 3 (<<ransomware-prevented-elastic-endpoint-security-history, version history>>)
+*Version*: 4 (<<ransomware-prevented-endpoint-security-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -45,9 +45,11 @@ endgame.event_subtype_full:ransomware_event)
 ----------------------------------
 
 
-[[ransomware-prevented-elastic-endpoint-security-history]]
+[[ransomware-prevented-endpoint-security-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Rule name changed from: Ransomware - Prevented - Elastic Endpoint Security
 Version 3 (7.9.0 release)::
 * Rule name changed from: Ransomware - Prevented - Elastic Endpoint
 Version 2 (7.7.0 release)::
diff --git a/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc b/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc
index 5c165912d9..ee3aa8ed60 100644
--- a/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc
@@ -28,14 +28,17 @@ defense evasion, discovery, lateral movement, or collection.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
 * ML
 
-*Version*: 1
+*Version*: 2 (<<rare-aws-error-code-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -75,3 +78,10 @@ accounts or could it be sourcing from an EC2 instance not under your control?
 If it is an authorized EC2 instance, is the activity associated with normal
 behavior for the instance role or roles? Are there any other alerts or signs of
 suspicious activity involving this instance?
+
+[[rare-aws-error-code-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc
index 0e19ad21ff..cc9db9ee6a 100644
--- a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc
@@ -13,6 +13,7 @@ threat actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -27,13 +28,16 @@ threat actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<rdp-remote-desktop-protocol-from-the-internet-history, version history>>)
+*Version*: 5 (<<rdp-remote-desktop-protocol-from-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -91,6 +95,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[rdp-remote-desktop-protocol-from-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc
index 7a960f8ffd..46b2cd0f4c 100644
--- a/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/rdp-remote-desktop-protocol-to-the-internet.asciidoc
@@ -13,6 +13,7 @@ actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -27,13 +28,16 @@ actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Initial Access
 
-*Version*: 4 (<<rdp-remote-desktop-protocol-to-the-internet-history, version history>>)
+*Version*: 5 (<<rdp-remote-desktop-protocol-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -61,12 +65,12 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 
 * Tactic:
 ** Name: Initial Access
-** ID: TA0011
-** Reference URL: https://attack.mitre.org/tactics/TA0011/
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
 * Technique:
 ** Name: Exploit Public-Facing Application
-** ID: T1043
-** Reference URL: https://attack.mitre.org/techniques/T1043/
+** ID: T1190
+** Reference URL: https://attack.mitre.org/techniques/T1190/
 
 
 * Tactic:
@@ -81,6 +85,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[rdp-remote-desktop-protocol-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/registration-tool-making-network-connections.asciidoc b/docs/detections/prebuilt-rules/rule-details/registration-tool-making-network-connections.asciidoc
new file mode 100644
index 0000000000..6da753c61d
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/registration-tool-making-network-connections.asciidoc
@@ -0,0 +1,60 @@
+[[registration-tool-making-network-connections]]
+=== Registration Tool Making Network Connections
+
+Identifies registration utilities making outbound network connections. This includes regsvcs, regasm, and regsvr32. This may indicate adversarial activity as these tools are often leveraged by adversaries to execute code and evade detection.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Windows
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id [process where event.type in ("start",
+"process_started") and process.name in ("regasm.exe",
+"regsvcs.exe", "regsvr32.exe")] [network where event.type ==
+"connection" and process.name in ("regasm.exe", "regsvcs.exe",
+"regsvr32.exe")] until [process where event.type == "end" and
+process.name in ("regasm.exe", "regsvcs.exe", "regsvr32.exe")]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Regsvcs/Regasm
+** ID: T1121
+** Reference URL: https://attack.mitre.org/techniques/T1121/
diff --git a/docs/detections/prebuilt-rules/rule-details/remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-file-copy-via-teamviewer.asciidoc
new file mode 100644
index 0000000000..b16ebce4f9
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/remote-file-copy-via-teamviewer.asciidoc
@@ -0,0 +1,64 @@
+[[remote-file-copy-via-teamviewer]]
+=== Remote File Copy via TeamViewer
+
+Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Command and Control
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and event.type:creation and
+process.name:TeamViewer.exe and file.extension:(exe or dll or scr or
+com or bat or ps1 or vbs or vbe or js or wsh or hta)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Command and Control
+** ID: TA0011
+** Reference URL: https://attack.mitre.org/tactics/TA0011/
+* Technique:
+** Name: Ingress Tool Transfer
+** ID: T1105
+** Reference URL: https://attack.mitre.org/techniques/T1105/
diff --git a/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-desktopimgdownldr-utility.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-desktopimgdownldr-utility.asciidoc
new file mode 100644
index 0000000000..de898f7a81
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-desktopimgdownldr-utility.asciidoc
@@ -0,0 +1,66 @@
+[[remote-file-download-via-desktopimgdownldr-utility]]
+=== Remote File Download via Desktopimgdownldr Utility
+
+Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Command and Control
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(process.name:desktopimgdownldr.exe or
+process.pe.original_file_name:desktopimgdownldr.exe or
+winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and
+process.args:/lockscreenurl\:http*
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Command and Control
+** ID: TA0011
+** Reference URL: https://attack.mitre.org/tactics/TA0011/
+* Technique:
+** Name: Ingress Tool Transfer
+** ID: T1105
+** Reference URL: https://attack.mitre.org/techniques/T1105/
diff --git a/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-mpcmdrun.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-mpcmdrun.asciidoc
new file mode 100644
index 0000000000..02c2720349
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-mpcmdrun.asciidoc
@@ -0,0 +1,72 @@
+[[remote-file-download-via-mpcmdrun]]
+=== Remote File Download via MpCmdRun
+
+Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://twitter.com/mohammadaskar2/status/1301263551638761477
+* https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Command and Control
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(process.name:MpCmdRun.exe or
+process.pe.original_file_name:MpCmdRun.exe or
+winlog.event_data.OriginalFileName:MpCmdRun.exe) and
+process.args:(("-DownloadFile" or "-downloadfile") and "-url" and
+"-path")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Command and Control
+** ID: TA0011
+** Reference URL: https://attack.mitre.org/tactics/TA0011/
+* Technique:
+** Name: Ingress Tool Transfer
+** ID: T1105
+** Reference URL: https://attack.mitre.org/techniques/T1105/
diff --git a/docs/detections/prebuilt-rules/rule-details/remote-ssh-login-enabled-via-systemsetup-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-ssh-login-enabled-via-systemsetup-command.asciidoc
new file mode 100644
index 0000000000..b7c14250bd
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/remote-ssh-login-enabled-via-systemsetup-command.asciidoc
@@ -0,0 +1,65 @@
+[[remote-ssh-login-enabled-via-systemsetup-command]]
+=== Remote SSH Login Enabled via systemsetup Command
+
+Detects use of the systemsetup command to enable remote SSH Login.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* auditbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
+* https://ss64.com/osx/systemsetup.html
+
+*Tags*:
+
+* Elastic
+* Host
+* macOS
+* Threat Detection
+* Lateral Movement
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:systemsetup and process.args:("-f" and "-setremotelogin"
+and on)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Lateral Movement
+** ID: TA0008
+** Reference URL: https://attack.mitre.org/tactics/TA0008/
+* Technique:
+** Name: Remote Services
+** ID: T1021
+** Reference URL: https://attack.mitre.org/techniques/T1021/
diff --git a/docs/detections/prebuilt-rules/rule-details/renamed-autoit-scripts-interpreter.asciidoc b/docs/detections/prebuilt-rules/rule-details/renamed-autoit-scripts-interpreter.asciidoc
new file mode 100644
index 0000000000..3ccb8eeace
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/renamed-autoit-scripts-interpreter.asciidoc
@@ -0,0 +1,62 @@
+[[renamed-autoit-scripts-interpreter]]
+=== Renamed AutoIt Scripts Interpreter
+
+Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process AND event.type:(start OR process_started) AND (
+process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE
+]/ OR winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\d\.
+[eE][xX][eE]/) AND NOT
+process.name:/[aA][uU][tT][oO][iI][tT]\d{1,3}\.[eE][xX][eE]/
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Masquerading
+** ID: T1036
+** Reference URL: https://attack.mitre.org/techniques/T1036/
diff --git a/docs/detections/prebuilt-rules/rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc
new file mode 100644
index 0000000000..e3ad50e013
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.asciidoc
@@ -0,0 +1,71 @@
+[[roshal-archive-rar-or-powershell-file-downloaded-from-the-internet]]
+=== Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
+
+Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* packetbeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+* https://www.justice.gov/opa/press-release/file/1084361/download
+
+*Tags*:
+
+* Elastic
+* Network
+* Threat Detection
+* Command and Control
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.
+
+==== Investigation guide
+
+This activity has been observed in FIN7 campaigns.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:(network OR network_traffic) AND network.protocol:http
+AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\/8 OR
+172.16.0.0\/12 OR 192.168.0.0\/16)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Command and Control
+** ID: TA0011
+** Reference URL: https://attack.mitre.org/tactics/TA0011/
+* Technique:
+** Name: Ingress Tool Transfer
+** ID: T1105
+** Reference URL: https://attack.mitre.org/techniques/T1105/
diff --git a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc
index 4637bb09bf..282e259ae7 100644
--- a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-from-the-internet.asciidoc
@@ -13,6 +13,7 @@ threat actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: high
 
@@ -27,13 +28,16 @@ threat actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Initial Access
 
-*Version*: 4 (<<rpc-remote-procedure-call-from-the-internet-history, version history>>)
+*Version*: 5 (<<rpc-remote-procedure-call-from-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -57,8 +61,8 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 
 * Tactic:
 ** Name: Initial Access
-** ID: TA0011
-** Reference URL: https://attack.mitre.org/tactics/TA0011/
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
 * Technique:
 ** Name: Exploit Public-Facing Application
 ** ID: T1190
@@ -67,6 +71,9 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[rpc-remote-procedure-call-from-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc
index 273c0ab74f..e5ab2131ca 100644
--- a/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/rpc-remote-procedure-call-to-the-internet.asciidoc
@@ -13,6 +13,7 @@ actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: high
 
@@ -27,13 +28,16 @@ actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Initial Access
 
-*Version*: 4 (<<rpc-remote-procedure-call-to-the-internet-history, version history>>)
+*Version*: 5 (<<rpc-remote-procedure-call-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -57,8 +61,8 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 
 * Tactic:
 ** Name: Initial Access
-** ID: TA0011
-** Reference URL: https://attack.mitre.org/tactics/TA0011/
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
 * Technique:
 ** Name: Exploit Public-Facing Application
 ** ID: T1190
@@ -67,6 +71,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[rpc-remote-procedure-call-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/service-command-lateral-movement.asciidoc b/docs/detections/prebuilt-rules/rule-details/service-command-lateral-movement.asciidoc
new file mode 100644
index 0000000000..d1cbb5efd0
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/service-command-lateral-movement.asciidoc
@@ -0,0 +1,66 @@
+[[service-command-lateral-movement]]
+=== Service Command Lateral Movement
+
+Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Lateral Movement
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id with maxspan=1m [process where
+event.type in ("start", "process_started") and
+/* uncomment once in winlogbeat */ (process.name == "sc.exe" /*
+or process.pe.original_file_name == "sc.exe" */ ) and
+/* case insensitive */ wildcard(process.args, "\\\\*") and
+wildcard(process.args, "binPath=*", "binpath=*") and
+(process.args : "create" or process.args : "config" or
+process.args : "failure" or process.args : "start")] [network
+where process.name : "sc.exe" and destination.ip != "127.0.0.1"]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Lateral Movement
+** ID: TA0008
+** Reference URL: https://attack.mitre.org/tactics/TA0008/
+* Technique:
+** Name: Remote Services
+** ID: T1021
+** Reference URL: https://attack.mitre.org/techniques/T1021/
diff --git a/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc b/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc
index 07612d9638..16be85c865 100644
--- a/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/setgid-bit-set-via-chmod.asciidoc
@@ -23,13 +23,16 @@ An adversary may add the setgid bit to a file or directory in order to run a fil
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Privilege Escalation
 
-*Version*: 3 (<<setgid-bit-set-via-chmod-history, version history>>)
+*Version*: 4 (<<setgid-bit-set-via-chmod-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -61,8 +64,8 @@ user.name:root
 
 * Tactic:
 ** Name: Persistence
-** ID: TA0004
-** Reference URL: https://attack.mitre.org/tactics/TA0004/
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
 * Technique:
 ** Name: Setuid and Setgid
 ** ID: T1166
@@ -71,6 +74,9 @@ user.name:root
 [[setgid-bit-set-via-chmod-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc b/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc
index 11bc58c40b..1beec690b9 100644
--- a/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/setuid-bit-set-via-chmod.asciidoc
@@ -23,13 +23,16 @@ An adversary may add the setuid bit to a file or directory in order to run a fil
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Privilege Escalation
 
-*Version*: 3 (<<setuid-bit-set-via-chmod-history, version history>>)
+*Version*: 4 (<<setuid-bit-set-via-chmod-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -61,8 +64,8 @@ user.name:root
 
 * Tactic:
 ** Name: Persistence
-** ID: TA0004
-** Reference URL: https://attack.mitre.org/tactics/TA0004/
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
 * Technique:
 ** Name: Setuid and Setgid
 ** ID: T1166
@@ -71,6 +74,9 @@ user.name:root
 [[setuid-bit-set-via-chmod-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc
index 35d8562383..d5f457a498 100644
--- a/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/smb-windows-file-sharing-activity-to-the-internet.asciidoc
@@ -14,6 +14,7 @@ door vector or for data exfiltration.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: high
 
@@ -28,13 +29,16 @@ door vector or for data exfiltration.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Initial Access
 
-*Version*: 4 (<<smb-windows-file-sharing-activity-to-the-internet-history, version history>>)
+*Version*: 5 (<<smb-windows-file-sharing-activity-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,8 +62,8 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 
 * Tactic:
 ** Name: Initial Access
-** ID: TA0011
-** Reference URL: https://attack.mitre.org/tactics/TA0011/
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
 * Technique:
 ** Name: Exploit Public-Facing Application
 ** ID: T1190
@@ -78,6 +82,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[smb-windows-file-sharing-activity-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc b/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc
index 4c555887e3..7cc4a465df 100644
--- a/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/smtp-on-port-26-tcp.asciidoc
@@ -12,6 +12,7 @@ BadPatch for command and control of Windows systems.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -31,13 +32,16 @@ BadPatch for command and control of Windows systems.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 3 (<<smtp-on-port-26-tcp-history, version history>>)
+*Version*: 4 (<<smtp-on-port-26-tcp-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -74,7 +78,7 @@ destination.port:26))
 * Tactic:
 ** Name: Exfiltration
 ** ID: TA0010
-** Reference URL: https://attack.mitre.org/tactics/TA0011/
+** Reference URL: https://attack.mitre.org/tactics/TA0010/
 * Technique:
 ** Name: Exfiltration Over Alternative Protocol
 ** ID: T1048
@@ -83,6 +87,9 @@ destination.port:26))
 [[smtp-on-port-26-tcp-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc
index fb19a15189..b33e080415 100644
--- a/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/smtp-to-the-internet.asciidoc
@@ -12,6 +12,7 @@ threat actors for command and control, or data exfiltration.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -26,13 +27,16 @@ threat actors for command and control, or data exfiltration.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<smtp-to-the-internet-history, version history>>)
+*Version*: 5 (<<smtp-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -80,6 +84,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[smtp-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc
index 8168e4fa64..1e0726c446 100644
--- a/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/socat-process-activity.asciidoc
@@ -29,13 +29,15 @@ port. Socat is also sometimes used for lateral movement.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<socat-process-activity-history, version history>>)
+*Version*: 5 (<<socat-process-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,6 +60,9 @@ process.name:socat and not process.args:-V
 [[socat-process-activity-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc b/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc
index 88aa40e8b0..1e9af5395c 100644
--- a/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc
@@ -28,14 +28,17 @@ attempts at privilege escalation, lateral movement, or discovery.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
 * ML
 
-*Version*: 1
+*Version*: 2 (<<spike-in-aws-error-messages-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -76,3 +79,10 @@ accounts or could it be sourcing from an EC2 instance not under your control?
 If it is an authorized EC2 instance, is the activity associated with normal
 behavior for the instance role or roles? Are there any other alerts or signs of
 suspicious activity involving this instance?
+
+[[spike-in-aws-error-messages-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc
index a7df45d9b5..c6425cbe13 100644
--- a/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/sql-traffic-to-the-internet.asciidoc
@@ -12,6 +12,7 @@ gain initial access to network resources.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -26,13 +27,16 @@ gain initial access to network resources.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<sql-traffic-to-the-internet-history, version history>>)
+*Version*: 5 (<<sql-traffic-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -70,6 +74,9 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
 [[sql-traffic-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc
index c411ef6611..19edaef4f7 100644
--- a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-from-the-internet.asciidoc
@@ -13,6 +13,7 @@ by threat actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -27,13 +28,16 @@ by threat actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<ssh-secure-shell-from-the-internet-history, version history>>)
+*Version*: 5 (<<ssh-secure-shell-from-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -91,6 +95,9 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[ssh-secure-shell-from-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc
index d20d65167e..891d398a2d 100644
--- a/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/ssh-secure-shell-to-the-internet.asciidoc
@@ -13,6 +13,7 @@ actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -27,13 +28,16 @@ actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<ssh-secure-shell-to-the-internet-history, version history>>)
+*Version*: 5 (<<ssh-secure-shell-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -71,6 +75,9 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[ssh-secure-shell-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc
index fc0d13805f..922e4436c4 100644
--- a/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/strace-process-activity.asciidoc
@@ -29,13 +29,15 @@ laterally.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<strace-process-activity-history, version history>>)
+*Version*: 5 (<<strace-process-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,6 +60,9 @@ process.name:strace
 [[strace-process-activity-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc
index f7e5bf036a..5121329f2e 100644
--- a/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc
@@ -23,13 +23,16 @@ A sudoers file specifies the commands that users or groups can run and from whic
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Privilege Escalation
 
-*Version*: 3 (<<sudoers-file-modification-history, version history>>)
+*Version*: 4 (<<sudoers-file-modification-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -59,6 +62,9 @@ event.category:file and event.type:change and file.path:/etc/sudoers
 [[sudoers-file-modification-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-.net-code-compilation.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-.net-code-compilation.asciidoc
new file mode 100644
index 0000000000..b7620f36d1
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-.net-code-compilation.asciidoc
@@ -0,0 +1,61 @@
+[[suspicious-.net-code-compilation]]
+=== Suspicious .NET Code Compilation
+
+Identifies suspicious .NET code execution. connections.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:(csc.exe or vbc.exe) and process.parent.name:(wscript.exe
+or mshta.exe or wscript.exe or wmic.exe or svchost.exe or rundll32.exe
+or cmstp.exe or regsvr32.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc
index 57a57c22ac..c2b8b6921a 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc
@@ -10,6 +10,7 @@ identify when an adversary is attempting to gain access to their network.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: medium
 
@@ -29,15 +30,18 @@ identify when an adversary is attempting to gain access to their network.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<suspicious-activity-reported-by-okta-user-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -55,7 +59,7 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
-event.module:okta and event.dataset:okta.system and
+event.dataset:okta.system and
 event.action:user.account.report_suspicious_activity_by_enduser
 ----------------------------------
 
@@ -101,3 +105,16 @@ event.action:user.account.report_suspicious_activity_by_enduser
 ** Name: Valid Accounts
 ** ID: T1078
 ** Reference URL: https://attack.mitre.org/techniques/T1078/
+
+[[suspicious-activity-reported-by-okta-user-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.module:okta and event.dataset:okta.system and
+event.action:user.account.report_suspicious_activity_by_enduser
+----------------------------------
+
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-endpoint-security-parent-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-endpoint-security-parent-process.asciidoc
new file mode 100644
index 0000000000..4cfe8b52be
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-endpoint-security-parent-process.asciidoc
@@ -0,0 +1,61 @@
+[[suspicious-endpoint-security-parent-process]]
+=== Suspicious Endpoint Security Parent Process
+
+A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:(esensor.exe or "elastic-endpoint.exe" or "elastic-
+agent.exe") and not
+process.parent.executable:"C:\Windows\System32\services.exe"
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Masquerading
+** ID: T1036
+** Reference URL: https://attack.mitre.org/techniques/T1036/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc
new file mode 100644
index 0000000000..abbb1a2ed1
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc
@@ -0,0 +1,65 @@
+[[suspicious-managed-code-hosting-process]]
+=== Suspicious Managed Code Hosting Process
+
+Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and not event.type:deletion and
+file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or
+wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or
+regsvr32.exe.log)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc
index 06bbdf3628..cb6af9e4fb 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc
@@ -26,13 +26,16 @@ macros.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<suspicious-ms-office-child-process-history, version history>>)
+*Version*: 5 (<<suspicious-ms-office-child-process-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -76,6 +79,9 @@ wmic.exe or wscript.exe or xwizard.exe)
 [[suspicious-ms-office-child-process-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc
index aa286d465b..b6c178d8c8 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc
@@ -24,13 +24,16 @@ processes are often associated with spear phishing activity.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<suspicious-ms-outlook-child-process-history, version history>>)
+*Version*: 5 (<<suspicious-ms-outlook-child-process-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -73,6 +76,9 @@ wmic.exe or wscript.exe or xwizard.exe)
 [[suspicious-ms-outlook-child-process-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc
index e8f15ed474..5326ea54dc 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc
@@ -25,13 +25,16 @@ engineering.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 3 (<<suspicious-pdf-reader-child-process-history, version history>>)
+*Version*: 4 (<<suspicious-pdf-reader-child-process-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -75,6 +78,9 @@ certutil.exe or ftp.exe)
 [[suspicious-pdf-reader-child-process-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc
index 3ea898639e..df70479165 100644
--- a/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-powershell-script.asciidoc
@@ -29,14 +29,16 @@ PowerShell script text blocks.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<suspicious-powershell-script-history, version history>>)
+*Version*: 3 (<<suspicious-powershell-script-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -49,6 +51,9 @@ Certain kinds of security testing may trigger this alert. PowerShell scripts tha
 [[suspicious-powershell-script-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-printspooler-service-executable-file-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-printspooler-service-executable-file-creation.asciidoc
new file mode 100644
index 0000000000..11aac6b72a
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-printspooler-service-executable-file-creation.asciidoc
@@ -0,0 +1,66 @@
+[[suspicious-printspooler-service-executable-file-creation]]
+=== Suspicious PrintSpooler Service Executable File Creation
+
+Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 74
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/
+* https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and not event.type:deletion and
+process.name:spoolsv.exe and file.extension:(exe or dll) and not
+file.path:(C\:\\Windows\\System32\\spool\\* or C\:\\Windows\\Temp\\*
+or C\:\\Users\\*)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Exploitation for Privilege Escalation
+** ID: T1068
+** Reference URL: https://attack.mitre.org/techniques/T1068/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-printspooler-spl-file-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-printspooler-spl-file-created.asciidoc
new file mode 100644
index 0000000000..e468a9da27
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-printspooler-spl-file-created.asciidoc
@@ -0,0 +1,70 @@
+[[suspicious-printspooler-spl-file-created]]
+=== Suspicious PrintSpooler SPL File Created
+
+Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 74
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and not event.type:deletion and
+file.extension:(spl or SPL) and
+file.path:C\:\\Windows\\System32\\spool\\PRINTERS\\* and not
+process.name:(spoolsv.exe or printfilterpipelinesvc.exe or
+PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Exploitation for Privilege Escalation
+** ID: T1068
+** Reference URL: https://attack.mitre.org/techniques/T1068/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc
new file mode 100644
index 0000000000..cc4faf0b42
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc
@@ -0,0 +1,62 @@
+[[suspicious-process-execution-via-renamed-psexec-executable]]
+=== Suspicious Process Execution via Renamed PsExec Executable
+
+Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+(process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or
+winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and
+process.parent.name:services.exe and not process.name:(psexesvc.exe or
+PSEXESVC.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Service Execution
+** ID: T1035
+** Reference URL: https://attack.mitre.org/techniques/T1035/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-process-from-conhost.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-process-from-conhost.asciidoc
new file mode 100644
index 0000000000..7aaf6ffac7
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-process-from-conhost.asciidoc
@@ -0,0 +1,64 @@
+[[suspicious-process-from-conhost]]
+=== Suspicious Process from Conhost
+
+Identifies a suspicious Conhost child process which may be an indication of code injection activity.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://modexp.wordpress.com/2018/09/12/process-injection-user-data/
+* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.parent.name:conhost.exe
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc
new file mode 100644
index 0000000000..312ad6a32f
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc
@@ -0,0 +1,69 @@
+[[suspicious-werfault-child-process]]
+=== Suspicious WerFault Child Process
+
+A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/
+* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Custom Windows Error Reporting Debugger
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.parent.name:WerFault.exe and not process.name:(cofire.exe or
+psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Masquerading
+** ID: T1036
+** Reference URL: https://attack.mitre.org/techniques/T1036/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-wmic-xsl-script-execution.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-wmic-xsl-script-execution.asciidoc
new file mode 100644
index 0000000000..9da37947d6
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-wmic-xsl-script-execution.asciidoc
@@ -0,0 +1,63 @@
+[[suspicious-wmic-xsl-script-execution]]
+=== Suspicious WMIC XSL Script Execution
+
+Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id with maxspan=2m [process where
+event.type in ("start", "process_started") and (process.name :
+"WMIC.exe" or process.pe.original_file_name == "wmic.exe") and
+wildcard(process.args, "format*:*", "/format*:*", "*-format*:*") and
+not wildcard(process.command_line, "* /format:table *")] [library
+where event.type == "start" and file.name in ("jscript.dll",
+"vbscript.dll")]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: XSL Script Processing
+** ID: T1220
+** Reference URL: https://attack.mitre.org/techniques/T1220/
diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-zoom-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-zoom-child-process.asciidoc
new file mode 100644
index 0000000000..658856a208
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/suspicious-zoom-child-process.asciidoc
@@ -0,0 +1,88 @@
+[[suspicious-zoom-child-process]]
+=== Suspicious Zoom Child Process
+
+A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+New Zoom Executable
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.parent.name:Zoom.exe and not process.name:(Zoom.exe or
+WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or
+cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or
+zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or
+plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or
+APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe
+or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or
+RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or
+firefox.exe or iexplore.exe or outlook.exe or lync.exe or
+ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe
+or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or
+mphost.exe or APcptControl.exe or winword.exe or excel.exe or
+powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or
+zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or
+vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe
+or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Masquerading
+** ID: T1036
+** Reference URL: https://attack.mitre.org/techniques/T1036/
+
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
diff --git a/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc b/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc
index 944fcad962..60e0ea8a3a 100644
--- a/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/svchost-spawning-cmd.asciidoc
@@ -24,13 +24,16 @@ descending from `svchost.exe`.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<svchost-spawning-cmd-history, version history>>)
+*Version*: 5 (<<svchost-spawning-cmd-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -54,13 +57,16 @@ process.parent.name:svchost.exe and process.name:cmd.exe
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Command-Line Interface
+** Name: Command and Scripting Interpreter
 ** ID: T1059
 ** Reference URL: https://attack.mitre.org/techniques/T1059/
 
 [[svchost-spawning-cmd-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc
index eec7797dd4..7288a01a77 100644
--- a/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc
@@ -25,13 +25,16 @@ service to gain SYSTEM permissions.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Persistence
 
-*Version*: 4 (<<system-shells-via-services-history, version history>>)
+*Version*: 5 (<<system-shells-via-services-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ powershell.exe)
 [[system-shells-via-services-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc
index 18efe4e88b..a3b2a563e0 100644
--- a/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/tcp-port-8000-activity-to-the-internet.asciidoc
@@ -12,6 +12,7 @@ behind a reverse proxy.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -26,13 +27,16 @@ behind a reverse proxy.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<tcp-port-8000-activity-to-the-internet-history, version history>>)
+*Version*: 5 (<<tcp-port-8000-activity-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -69,6 +73,9 @@ or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
 [[tcp-port-8000-activity-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc
index 82e14cd843..f5e5fd766c 100644
--- a/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/telnet-port-activity.asciidoc
@@ -14,6 +14,7 @@ expose usernames and passwords to anyone capable of observing the traffic.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -28,13 +29,16 @@ expose usernames and passwords to anyone capable of observing the traffic.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 3 (<<telnet-port-activity-history, version history>>)
+*Version*: 4 (<<telnet-port-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -79,8 +83,8 @@ and destination.port:23
 
 * Tactic:
 ** Name: Initial Access
-** ID: TA0011
-** Reference URL: https://attack.mitre.org/tactics/TA0011/
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
 * Technique:
 ** Name: Exploit Public-Facing Application
 ** ID: T1190
@@ -89,6 +93,9 @@ and destination.port:23
 [[telnet-port-activity-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/threat-detected-by-okta-threatinsight.asciidoc b/docs/detections/prebuilt-rules/rule-details/threat-detected-by-okta-threatinsight.asciidoc
index 1d991e2af7..d7de5f3114 100644
--- a/docs/detections/prebuilt-rules/rule-details/threat-detected-by-okta-threatinsight.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/threat-detected-by-okta-threatinsight.asciidoc
@@ -12,6 +12,7 @@ password-spraying attacks.
 *Rule indices*:
 
 * filebeat-*
+* logs-okta*
 
 *Severity*: medium
 
@@ -31,15 +32,18 @@ password-spraying attacks.
 *Tags*:
 
 * Elastic
+* Identity
 * Okta
+* Continuous Monitoring
 * SecOps
 * Monitoring
-* Continuous Monitoring
 
-*Version*: 1
+*Version*: 2 (<<threat-detected-by-okta-threatinsight-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -53,6 +57,18 @@ The Okta Filebeat module must be enabled to use this rule.
 
 [source,js]
 ----------------------------------
+event.dataset:okta.system and event.action:security.threat.detected
+----------------------------------
+
+
+[[threat-detected-by-okta-threatinsight-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
 event.module:okta and event.dataset:okta.system and
 event.action:security.threat.detected
 ----------------------------------
diff --git a/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc
index 6da935ee02..a1eec0c0a8 100644
--- a/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/tor-activity-to-the-internet.asciidoc
@@ -13,6 +13,7 @@ avoid detection.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -27,13 +28,16 @@ avoid detection.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<tor-activity-to-the-internet-history, version history>>)
+*Version*: 5 (<<tor-activity-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -80,6 +84,9 @@ and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or
 [[tor-activity-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc b/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc
index e1429caa33..abdbf4ab55 100644
--- a/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/trusted-developer-application-usage.asciidoc
@@ -9,6 +9,7 @@ utility program.
 *Rule indices*:
 
 * winlogbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -23,13 +24,16 @@ utility program.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 3 (<<trusted-developer-application-usage-history, version history>>)
+*Version*: 4 (<<trusted-developer-application-usage-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -44,7 +48,8 @@ These programs may be used by Windows developers but use by non-engineers is unu
 
 [source,js]
 ----------------------------------
-event.code:1 and process.name:(MSBuild.exe or msxsl.exe)
+event.category:process and event.type:(start or process_started) and
+process.name:(MSBuild.exe or msxsl.exe)
 ----------------------------------
 
 ==== Threat mapping
@@ -56,7 +61,7 @@ event.code:1 and process.name:(MSBuild.exe or msxsl.exe)
 ** ID: TA0005
 ** Reference URL: https://attack.mitre.org/tactics/TA0005/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
@@ -66,13 +71,21 @@ event.code:1 and process.name:(MSBuild.exe or msxsl.exe)
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
 [[trusted-developer-application-usage-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.code:1 and process.name:(MSBuild.exe or msxsl.exe)
+----------------------------------
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc
new file mode 100644
index 0000000000..617c1e6415
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc
@@ -0,0 +1,62 @@
+[[uac-bypass-via-diskcleanup-scheduled-task-hijack]]
+=== UAC Bypass via DiskCleanup Scheduled Task Hijack
+
+Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Privilege Escalation
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.args:(/autoclean or /AUTOCLEAN) and
+process.parent.name:svchost.exe and not
+process.executable:("C:\Windows\System32\cleanmgr.exe" or
+"C:\Windows\SysWOW64\cleanmgr.exe")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Bypass User Account Control
+** ID: T1088
+** Reference URL: https://attack.mitre.org/techniques/T1088/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc
index c6d3b13f49..c84a305800 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc
@@ -29,14 +29,17 @@ uses a valid account to persist, move laterally, or exfiltrate data.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
 * ML
 
-*Version*: 1
+*Version*: 2 (<<unusual-aws-command-for-a-user-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -75,3 +78,10 @@ it appears in small numbers on a weekly or monthly basis - it might be part of
 a housekeeping or maintenance process.
 * Examine the request parameters. These may provide indications as to the
 source of the program or the nature of the tasks it is performing.
+
+[[unusual-aws-command-for-a-user-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-child-process-from-a-system-virtual-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-child-process-from-a-system-virtual-process.asciidoc
new file mode 100644
index 0000000000..3c7975ad92
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-child-process-from-a-system-virtual-process.asciidoc
@@ -0,0 +1,60 @@
+[[unusual-child-process-from-a-system-virtual-process]]
+=== Unusual Child Process from a System Virtual Process
+
+Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.parent.pid:4 and not process.executable:(Registry or
+MemCompression or "C:\Windows\System32\smss.exe")
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Process Injection
+** ID: T1055
+** Reference URL: https://attack.mitre.org/techniques/T1055/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns.exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns.exe.asciidoc
new file mode 100644
index 0000000000..8bbc3169c7
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns.exe.asciidoc
@@ -0,0 +1,80 @@
+[[unusual-child-process-of-dns.exe]]
+=== Unusual Child Process of dns.exe
+
+Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
+* https://github.com/maxpl0it/CVE-2020-1350-DoS
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn.
+
+==== Investigation guide
+
+Detection alerts from this rule indicate potential suspicious child processes
+spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are
+some possible avenues of investigation:
+
+* Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).
+* Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.
+* If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.
+* Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:start and
+process.parent.name:dns.exe and not process.name:conhost.exe
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: External Remote Services
+** ID: T1133
+** Reference URL: https://attack.mitre.org/techniques/T1133/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-child-processes-of-rundll32.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-child-processes-of-rundll32.asciidoc
new file mode 100644
index 0000000000..2d1d29683d
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-child-processes-of-rundll32.asciidoc
@@ -0,0 +1,64 @@
+[[unusual-child-processes-of-rundll32]]
+=== Unusual Child Processes of RunDLL32
+
+Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: high
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence with maxspan=1h [process where event.type in ("start",
+"process_started") and /*
+uncomment once in winlogbeat */ (process.name : "rundll32.exe" /*
+or process.pe.original_file_name == "RUNDLL32.EXE" */ ) and
+process.args_count < 2 ] by process.entity_id [process where
+event.type in ("start", "process_started") and process.parent.name :
+"rundll32.exe" ] by process.parent.entity_id
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Rundll32
+** ID: T1085
+** Reference URL: https://attack.mitre.org/techniques/T1085/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc
index 087caf0e04..a0d10c860a 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc
@@ -29,14 +29,17 @@ being used by a threat actor in a different location from the authorized users.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
 * ML
 
-*Version*: 1
+*Version*: 2 (<<unusual-city-for-an-aws-command-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -76,3 +79,10 @@ it appears in small numbers on a weekly or monthly basis - it might be part of
 a housekeeping or maintenance process.
 * Examine the request parameters. These may provide indications as to the
 source of the program or the nature of the tasks it is performing.
+
+[[unusual-city-for-an-aws-command-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc
index e396d212ef..dddbd1d9b1 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc
@@ -30,14 +30,17 @@ users.
 
 *Tags*:
 
-* AWS
 * Elastic
+* Cloud
+* AWS
 * ML
 
-*Version*: 1
+*Version*: 2 (<<unusual-country-for-an-aws-command-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
+*Last modified ({stack} release)*: 7.10.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License
@@ -77,3 +80,10 @@ it appears in small numbers on a weekly or monthly basis - it might be part of
 a housekeeping or maintenance process.
 * Examine the request parameters. These may provide indications as to the
 source of the program or the nature of the tasks it is performing.
+
+[[unusual-country-for-an-aws-command-history]]
+==== Rule version history
+
+Version 2 (7.10.0 release)::
+* Formatting only
+
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc
index 4ece201bd8..13fb6130cd 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-dns-activity.asciidoc
@@ -33,14 +33,15 @@ malware uses for command-and-control communication.
 *Tags*:
 
 * Elastic
+* Network
+* Threat Detection
 * ML
-* Packetbeat
 
-*Version*: 2 (<<unusual-dns-activity-history, version history>>)
+*Version*: 3 (<<unusual-dns-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -53,6 +54,9 @@ A newly installed program or one that runs rarely as part of a monthly or quarte
 [[unusual-dns-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc
new file mode 100644
index 0000000000..dbb87fde2a
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc
@@ -0,0 +1,61 @@
+[[unusual-executable-file-creation-by-a-system-critical-process]]
+=== Unusual Executable File Creation by a System Critical Process
+
+Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and not event.type:deletion and
+file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe
+or csrss.exe or wininit.exe or services.exe or lsass.exe or
+winlogon.exe or userinit.exe or LogonUI.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Exploitation for Defense Evasion
+** ID: T1211
+** Reference URL: https://attack.mitre.org/techniques/T1211/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns.exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns.exe.asciidoc
new file mode 100644
index 0000000000..0493f41560
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns.exe.asciidoc
@@ -0,0 +1,73 @@
+[[unusual-file-modification-by-dns.exe]]
+=== Unusual File Modification by dns.exe
+
+Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+Detection alerts from this rule indicate potential unusual/abnormal file writes
+from the DNS Server service process (`dns.exe`) after exploitation from
+CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of
+investigation:
+
+* Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. 
+* Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:file and process.name:dns.exe and not file.name:dns.log
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: External Remote Services
+** ID: T1133
+** Reference URL: https://attack.mitre.org/techniques/T1133/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc
index 68bb7ecb57..8119c7f08d 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-activity.asciidoc
@@ -33,14 +33,16 @@ applications.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<unusual-linux-network-activity-history, version history>>)
+*Version*: 3 (<<unusual-linux-network-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -72,6 +74,9 @@ performing.
 [[unusual-linux-network-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-connection-discovery.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-connection-discovery.asciidoc
new file mode 100644
index 0000000000..bd64797682
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-connection-discovery.asciidoc
@@ -0,0 +1,65 @@
+[[unusual-linux-network-connection-discovery]]
+=== Unusual Linux Network Connection Discovery
+
+Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_network_connection_discovery
+
+*Machine learning anomaly threshold*: 25
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Network Connections Discovery
+** ID: T1049
+** Reference URL: https://attack.mitre.org/techniques/T1049/
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Network Connections Discovery
+** ID: T1049
+** Reference URL: https://attack.mitre.org/techniques/T1049/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc
index 37f547380d..e77c02d560 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-port-activity.asciidoc
@@ -30,14 +30,16 @@ unauthorized access or threat actor activity.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<unusual-linux-network-port-activity-history, version history>>)
+*Version*: 3 (<<unusual-linux-network-port-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -50,6 +52,9 @@ A newly installed program or one that rarely uses the network could trigger this
 [[unusual-linux-network-port-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc
index d7f31d1124..fe48ad3d23 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-network-service.asciidoc
@@ -28,14 +28,16 @@ execution of unauthorized services, backdoors, or persistence mechanisms.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<unusual-linux-network-service-history, version history>>)
+*Version*: 3 (<<unusual-linux-network-service-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -48,6 +50,9 @@ A newly installed program or one that rarely uses the network could trigger this
 [[unusual-linux-network-service-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-process-calling-the-metadata-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-process-calling-the-metadata-service.asciidoc
new file mode 100644
index 0000000000..a28c627a37
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-process-calling-the-metadata-service.asciidoc
@@ -0,0 +1,41 @@
+[[unusual-linux-process-calling-the-metadata-service]]
+=== Unusual Linux Process Calling the Metadata Service
+
+Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_rare_metadata_process
+
+*Machine learning anomaly threshold*: 50
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-process-discovery-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-process-discovery-activity.asciidoc
new file mode 100644
index 0000000000..e3bdb87df8
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-process-discovery-activity.asciidoc
@@ -0,0 +1,65 @@
+[[unusual-linux-process-discovery-activity]]
+=== Unusual Linux Process Discovery Activity
+
+Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_system_process_discovery
+
+*Machine learning anomaly threshold*: 50
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: Process Discovery
+** ID: T1057
+** Reference URL: https://attack.mitre.org/techniques/T1057/
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: Process Discovery
+** ID: T1057
+** Reference URL: https://attack.mitre.org/techniques/T1057/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-information-discovery-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-information-discovery-activity.asciidoc
new file mode 100644
index 0000000000..8a0d51d74b
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-information-discovery-activity.asciidoc
@@ -0,0 +1,65 @@
+[[unusual-linux-system-information-discovery-activity]]
+=== Unusual Linux System Information Discovery Activity
+
+Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_system_information_discovery
+
+*Machine learning anomaly threshold*: 75
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Information Discovery
+** ID: T1082
+** Reference URL: https://attack.mitre.org/techniques/T1082/
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Information Discovery
+** ID: T1082
+** Reference URL: https://attack.mitre.org/techniques/T1082/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-network-configuration-discovery.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-network-configuration-discovery.asciidoc
new file mode 100644
index 0000000000..2d2c4d3f03
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-network-configuration-discovery.asciidoc
@@ -0,0 +1,65 @@
+[[unusual-linux-system-network-configuration-discovery]]
+=== Unusual Linux System Network Configuration Discovery
+
+Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_network_configuration_discovery
+
+*Machine learning anomaly threshold*: 25
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Network Configuration Discovery
+** ID: T1016
+** Reference URL: https://attack.mitre.org/techniques/T1016/
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Network Configuration Discovery
+** ID: T1016
+** Reference URL: https://attack.mitre.org/techniques/T1016/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-owner-or-user-discovery-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-owner-or-user-discovery-activity.asciidoc
new file mode 100644
index 0000000000..58e9a5b292
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-system-owner-or-user-discovery-activity.asciidoc
@@ -0,0 +1,65 @@
+[[unusual-linux-system-owner-or-user-discovery-activity]]
+=== Unusual Linux System Owner or User Discovery Activity
+
+Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_system_user_discovery
+
+*Machine learning anomaly threshold*: 75
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Owner/User Discovery
+** ID: T1033
+** Reference URL: https://attack.mitre.org/techniques/T1033/
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: System Owner/User Discovery
+** ID: T1033
+** Reference URL: https://attack.mitre.org/techniques/T1033/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-user-calling-the-metadata-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-user-calling-the-metadata-service.asciidoc
new file mode 100644
index 0000000000..459a7f6279
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-user-calling-the-metadata-service.asciidoc
@@ -0,0 +1,41 @@
+[[unusual-linux-user-calling-the-metadata-service]]
+=== Unusual Linux User Calling the Metadata Service
+
+Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_rare_metadata_user
+
+*Machine learning anomaly threshold*: 75
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc
index af909f1b03..4404cb9aef 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-username.asciidoc
@@ -38,14 +38,16 @@ another.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<unusual-linux-username-history, version history>>)
+*Version*: 3 (<<unusual-linux-username-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -75,6 +77,9 @@ user is performing.
 [[unusual-linux-username-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc
index a93b59cc27..8fd1de80e3 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-linux-web-activity.asciidoc
@@ -34,14 +34,16 @@ unauthorized downloads or threat activity.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<unusual-linux-web-activity-history, version history>>)
+*Version*: 3 (<<unusual-linux-web-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -54,6 +56,9 @@ A new and unusual program or artifact download in the course of software upgrade
 [[unusual-linux-web-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc
index a47ac172d1..c219313df1 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-login-activity.asciidoc
@@ -27,14 +27,16 @@ Identifies an unusually high number of authentication attempts.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<unusual-login-activity-history, version history>>)
+*Version*: 3 (<<unusual-login-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -47,6 +49,9 @@ Security audits may trigger this alert. Conditions that generate bursts of faile
 [[unusual-login-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc
new file mode 100644
index 0000000000..a69dde4913
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc
@@ -0,0 +1,83 @@
+[[unusual-network-activity-from-a-windows-system-binary]]
+=== Unusual Network Activity from a Windows System Binary
+
+Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id with maxspan=5m [process where
+event.type in ("start", "process_started") and /* known
+applocker bypasses */ (process.name : "bginfo.exe" or
+process.name : "cdb.exe" or process.name : "control.exe" or
+process.name : "cmstp.exe" or process.name : "csi.exe" or
+process.name : "dnx.exe" or process.name : "fsi.exe" or
+process.name : "ieexec.exe" or process.name : "iexpress.exe" or
+process.name : "installutil.exe" or process.name :
+"Microsoft.Workflow.Compiler.exe" or process.name :
+"MSBuild.exe" or process.name : "msdt.exe" or process.name
+: "mshta.exe" or process.name : "msiexec.exe" or
+process.name : "msxsl.exe" or process.name : "odbcconf.exe" or
+process.name : "rcsi.exe" or process.name : "regsvr32.exe" or
+process.name : "xwizard.exe")] [network where (process.name :
+"bginfo.exe" or process.name : "cdb.exe" or process.name :
+"control.exe" or process.name : "cmstp.exe" or
+process.name : "csi.exe" or process.name : "dnx.exe" or
+process.name : "fsi.exe" or process.name : "ieexec.exe" or
+process.name : "iexpress.exe" or process.name :
+"installutil.exe" or process.name :
+"Microsoft.Workflow.Compiler.exe" or process.name :
+"MSBuild.exe" or process.name : "msdt.exe" or process.name
+: "mshta.exe" or process.name : "msiexec.exe" or
+process.name : "msxsl.exe" or process.name : "odbcconf.exe" or
+process.name : "rcsi.exe" or process.name : "regsvr32.exe" or
+process.name : "xwizard.exe")]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Trusted Developer Utilities Proxy Execution
+** ID: T1127
+** Reference URL: https://attack.mitre.org/techniques/T1127/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-sequence-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-sequence-via-rundll32.asciidoc
new file mode 100644
index 0000000000..b28c8820aa
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-sequence-via-rundll32.asciidoc
@@ -0,0 +1,63 @@
+[[unusual-network-connection-sequence-via-rundll32]]
+=== Unusual Network Connection Sequence via RunDLL32
+
+Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Windows
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+sequence by process.entity_id with maxspan=2h [process where
+event.type in ("start", "process_started") and (process.name ==
+"rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and
+/* zero arguments excluding the binary itself (and accounting for when
+the binary may not be logged in args) */ ((process.args ==
+"rundll32.exe" and process.args_count == 1) or (process.args !=
+"rundll32.exe" and process.args_count == 0))] [network where
+event.type == "connection" and (process.name == "rundll32.exe" or
+process.pe.original_file_name == "rundll32.exe")]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Rundll32
+** ID: T1085
+** Reference URL: https://attack.mitre.org/techniques/T1085/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc
index 334d2ee01b..948967c97a 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-network-connection-via-rundll32.asciidoc
@@ -5,7 +5,7 @@ Identifies unusual instances of `rundll32.exe` making outbound network
 connections. This may indicate adversarial activity and may identify malicious
 DLLs.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -25,13 +25,16 @@ DLLs.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 5 (<<unusual-network-connection-via-rundll32-history, version history>>)
+*Version*: 6 (<<unusual-network-connection-via-rundll32-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -42,9 +45,10 @@ DLLs.
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or
-172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)
+sequence by process.entity_id [process where process.name :
+"rundll32.exe" and event.type == "start"] [network where
+process.name : "rundll32.exe" and not cidrmatch(destination.ip,
+"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")]
 ----------------------------------
 
 ==== Threat mapping
@@ -63,6 +67,16 @@ process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or
 [[unusual-network-connection-via-rundll32-history]]
 ==== Rule version history
 
+Version 6 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or
+172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)
+----------------------------------
+
 Version 5 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc
index ead391960b..6160b3eb90 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-network-destination-domain-name.asciidoc
@@ -33,14 +33,15 @@ communication.
 *Tags*:
 
 * Elastic
+* Network
+* Threat Detection
 * ML
-* Packetbeat
 
-*Version*: 2 (<<unusual-network-destination-domain-name-history, version history>>)
+*Version*: 3 (<<unusual-network-destination-domain-name-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -53,6 +54,9 @@ Web activity that occurs rarely in small quantities can trigger this alert. Poss
 [[unusual-network-destination-domain-name-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc
index 5f29a4706c..b30af5d141 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-parent-child-relationship.asciidoc
@@ -24,13 +24,16 @@ indicate masquerading or other strange activity on a system.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Privilege Escalation
 
-*Version*: 4 (<<unusual-parent-child-relationship-history, version history>>)
+*Version*: 5 (<<unusual-parent-child-relationship-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -42,22 +45,37 @@ indicate masquerading or other strange activity on a system.
 [source,js]
 ----------------------------------
 event.category:process and event.type:(start or process_started) and
-process.parent.executable:* and (process.name:smss.exe and not
+process.parent.executable:* and (process.parent.name:autochk.exe and
+not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or
+process.parent.name:smss.exe and not process.name:(autochk.exe or
+smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe)
+or process.name:autochk.exe and not process.parent.name:smss.exe or
+process.name:(fontdrvhost.exe or dwm.exe) and not
+process.parent.name:(wininit.exe or winlogon.exe) or
+process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and
+not process.parent.name:svchost.exe or process.name:wermgr.exe and not
+process.parent.name:(svchost.exe or TiWorker.exe) or
+process.name:SearchIndexer.exe and not
+process.parent.name:services.exe or
+process.name:SearchProtocolHost.exe and not
+process.parent.name:(SearchIndexer.exe or dllhost.exe) or
+process.name:dllhost.exe and not process.parent.name:(services.exe or
+svchost.exe) or process.name:smss.exe and not
 process.parent.name:(System or smss.exe) or process.name:csrss.exe and
 not process.parent.name:(smss.exe or svchost.exe) or
 process.name:wininit.exe and not process.parent.name:smss.exe or
 process.name:winlogon.exe and not process.parent.name:smss.exe or
-process.name:lsass.exe and not process.parent.name:wininit.exe or
-process.name:LogonUI.exe and not process.parent.name:(wininit.exe or
-winlogon.exe) or process.name:services.exe and not
-process.parent.name:wininit.exe or process.name:svchost.exe and not
-process.parent.name:(MsMpEng.exe or services.exe) or
-process.name:spoolsv.exe and not process.parent.name:services.exe or
-process.name:taskhost.exe and not process.parent.name:(services.exe or
-svchost.exe) or process.name:taskhostw.exe and not
+process.name:(lsass.exe or LsaIso.exe) and not
+process.parent.name:wininit.exe or process.name:LogonUI.exe and not
+process.parent.name:(wininit.exe or winlogon.exe) or
+process.name:services.exe and not process.parent.name:wininit.exe or
+process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or
+services.exe) or process.name:spoolsv.exe and not
+process.parent.name:services.exe or process.name:taskhost.exe and not
 process.parent.name:(services.exe or svchost.exe) or
-process.name:userinit.exe and not process.parent.name:(dwm.exe or
-winlogon.exe))
+process.name:taskhostw.exe and not process.parent.name:(services.exe
+or svchost.exe) or process.name:userinit.exe and not
+process.parent.name:(dwm.exe or winlogon.exe))
 ----------------------------------
 
 ==== Threat mapping
@@ -76,6 +94,30 @@ winlogon.exe))
 [[unusual-parent-child-relationship-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.parent.executable:* and (process.name:smss.exe and not
+process.parent.name:(System or smss.exe) or process.name:csrss.exe and
+not process.parent.name:(smss.exe or svchost.exe) or
+process.name:wininit.exe and not process.parent.name:smss.exe or
+process.name:winlogon.exe and not process.parent.name:smss.exe or
+process.name:lsass.exe and not process.parent.name:wininit.exe or
+process.name:LogonUI.exe and not process.parent.name:(wininit.exe or
+winlogon.exe) or process.name:services.exe and not
+process.parent.name:wininit.exe or process.name:svchost.exe and not
+process.parent.name:(MsMpEng.exe or services.exe) or
+process.name:spoolsv.exe and not process.parent.name:services.exe or
+process.name:taskhost.exe and not process.parent.name:(services.exe or
+svchost.exe) or process.name:taskhostw.exe and not
+process.parent.name:(services.exe or svchost.exe) or
+process.name:userinit.exe and not process.parent.name:(dwm.exe or
+winlogon.exe))
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-parent-process-for-cmd.exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-parent-process-for-cmd.exe.asciidoc
new file mode 100644
index 0000000000..0fbf8133c1
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-parent-process-for-cmd.exe.asciidoc
@@ -0,0 +1,65 @@
+[[unusual-parent-process-for-cmd.exe]]
+=== Unusual Parent Process for cmd.exe
+
+Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* winlogbeat-*
+* logs-endpoint.events.*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Execution
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.category:process and event.type:(start or process_started) and
+process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe
+or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or
+wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe
+or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or
+slui.exe or SIHClient.exe or SearchIndexer.exe or
+SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe
+or WUDFHost.exe or unsecapp.exe or wlanext.exe)
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Command and Scripting Interpreter
+** ID: T1059
+** Reference URL: https://attack.mitre.org/techniques/T1059/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-calling-the-metadata-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-calling-the-metadata-service.asciidoc
new file mode 100644
index 0000000000..79d2715b01
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-calling-the-metadata-service.asciidoc
@@ -0,0 +1,39 @@
+[[unusual-process-calling-the-metadata-service]]
+=== Unusual Process Calling the Metadata Service
+
+Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_rare_metadata_process
+
+*Machine learning anomaly threshold*: 50
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Linux
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc
index a955dacdfe..c398d467b2 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-execution-temp.asciidoc
@@ -24,13 +24,15 @@ adversaries to hide malware.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 
-*Version*: 4 (<<unusual-process-execution-temp-history, version history>>)
+*Version*: 5 (<<unusual-process-execution-temp-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -53,6 +55,9 @@ process.working_directory:/tmp
 [[unusual-process-execution-temp-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc
index e2d888b9d2..c75a3e4c30 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-linux-host.asciidoc
@@ -30,14 +30,16 @@ other processes running on the host.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
 * ML
 
-*Version*: 2 (<<unusual-process-for-a-linux-host-history, version history>>)
+*Version*: 3 (<<unusual-process-for-a-linux-host-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -64,6 +66,9 @@ it is performing.
 [[unusual-process-for-a-linux-host-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc
index a3c78576d1..f2f7c20020 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-a-windows-host.asciidoc
@@ -30,14 +30,16 @@ other processes running on the host.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<unusual-process-for-a-windows-host-history, version history>>)
+*Version*: 3 (<<unusual-process-for-a-windows-host-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -73,6 +75,9 @@ as malware by anti-malware tools.
 [[unusual-process-for-a-windows-host-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc
index 0f76f33dbd..4c1ba7ff4a 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-network-connection.asciidoc
@@ -5,7 +5,7 @@ Identifies network activity from unexpected system applications. This may
 indicate adversarial activity as these applications are often leveraged by
 adversaries to execute code and evade detection.
 
-*Rule type*: query
+*Rule type*: eql
 
 *Rule indices*:
 
@@ -25,13 +25,16 @@ adversaries to execute code and evade detection.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<unusual-process-network-connection-history, version history>>)
+*Version*: 5 (<<unusual-process-network-connection-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -42,10 +45,24 @@ adversaries to execute code and evade detection.
 
 [source,js]
 ----------------------------------
-event.category:network and event.type:connection and
-process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe
-or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or
-iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)
+sequence by process.entity_id [process where (process.name :
+"Microsoft.Workflow.Compiler.exe" or process.name :
+"bginfo.exe" or process.name : "cdb.exe" or
+process.name : "cmstp.exe" or process.name :
+"csi.exe" or process.name : "dnx.exe" or
+process.name : "fsi.exe" or process.name :
+"ieexec.exe" or process.name : "iexpress.exe" or
+process.name : "odbcconf.exe" or process.name :
+"rcsi.exe" or process.name : "xwizard.exe") and
+event.type == "start"] [network where (process.name :
+"Microsoft.Workflow.Compiler.exe" or process.name :
+"bginfo.exe" or process.name : "cdb.exe" or
+process.name : "cmstp.exe" or process.name :
+"csi.exe" or process.name : "dnx.exe" or
+process.name : "fsi.exe" or process.name :
+"ieexec.exe" or process.name : "iexpress.exe" or
+process.name : "odbcconf.exe" or process.name :
+"rcsi.exe" or process.name : "xwizard.exe")]
 ----------------------------------
 
 ==== Threat mapping
@@ -57,13 +74,24 @@ iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)
 ** ID: TA0002
 ** Reference URL: https://attack.mitre.org/tactics/TA0002/
 * Technique:
-** Name: Trusted Developer Utilities
+** Name: Trusted Developer Utilities Proxy Execution
 ** ID: T1127
 ** Reference URL: https://attack.mitre.org/techniques/T1127/
 
 [[unusual-process-network-connection-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+event.category:network and event.type:connection and
+process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe
+or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or
+iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)
+----------------------------------
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-sudo-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-sudo-activity.asciidoc
new file mode 100644
index 0000000000..6541b0d7f0
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-sudo-activity.asciidoc
@@ -0,0 +1,85 @@
+[[unusual-sudo-activity]]
+=== Unusual Sudo Activity
+
+Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: linux_rare_sudo_user
+
+*Machine learning anomaly threshold*: 75
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Linux
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Abuse Elevation Control Mechanism
+** ID: T1548
+** Reference URL: https://attack.mitre.org/techniques/T1548/
+
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Abuse Elevation Control Mechanism
+** ID: T1548
+** Reference URL: https://attack.mitre.org/techniques/T1548/
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Abuse Elevation Control Mechanism
+** ID: T1548
+** Reference URL: https://attack.mitre.org/techniques/T1548/
+
+
+* Tactic:
+** Name: Privilege Escalation
+** ID: TA0004
+** Reference URL: https://attack.mitre.org/tactics/TA0004/
+* Technique:
+** Name: Abuse Elevation Control Mechanism
+** ID: T1548
+** Reference URL: https://attack.mitre.org/techniques/T1548/
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc
index eb39fd0c18..dd86ec2c5a 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-web-request.asciidoc
@@ -38,14 +38,15 @@ traffic.
 *Tags*:
 
 * Elastic
+* Network
+* Threat Detection
 * ML
-* Packetbeat
 
-*Version*: 2 (<<unusual-web-request-history, version history>>)
+*Version*: 3 (<<unusual-web-request-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -58,6 +59,9 @@ Web activity that occurs rarely in small quantities can trigger this alert. Poss
 [[unusual-web-request-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc
index 22362e020a..aa11803770 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-web-user-agent.asciidoc
@@ -37,14 +37,15 @@ local sources can also be due to malware or scanning activity.
 *Tags*:
 
 * Elastic
+* Network
+* Threat Detection
 * ML
-* Packetbeat
 
-*Version*: 2 (<<unusual-web-user-agent-history, version history>>)
+*Version*: 3 (<<unusual-web-user-agent-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -57,6 +58,9 @@ Web activity that is uncommon, like security scans, may trigger this alert and m
 [[unusual-web-user-agent-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc
index ea614ea01c..df132d9457 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-network-activity.asciidoc
@@ -33,14 +33,16 @@ applications.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<unusual-windows-network-activity-history, version history>>)
+*Version*: 3 (<<unusual-windows-network-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -81,6 +83,9 @@ as malware by anti-malware tools.
 [[unusual-windows-network-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc
index f64b3ac7db..3538ff84a9 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-path-activity.asciidoc
@@ -32,14 +32,16 @@ the Internet or a malicious script or macro executed malware.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<unusual-windows-path-activity-history, version history>>)
+*Version*: 3 (<<unusual-windows-path-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -52,6 +54,9 @@ A new and unusual program or artifact download in the course of software upgrade
 [[unusual-windows-path-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-process-calling-the-metadata-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-process-calling-the-metadata-service.asciidoc
new file mode 100644
index 0000000000..672b362ccd
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-process-calling-the-metadata-service.asciidoc
@@ -0,0 +1,41 @@
+[[unusual-windows-process-calling-the-metadata-service]]
+=== Unusual Windows Process Calling the Metadata Service
+
+Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: windows_rare_metadata_process
+
+*Machine learning anomaly threshold*: 50
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc
index 4576033e3b..b4eb556a5c 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-remote-user.asciidoc
@@ -30,14 +30,16 @@ usernames.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<unusual-windows-remote-user-history, version history>>)
+*Version*: 3 (<<unusual-windows-remote-user-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -62,6 +64,9 @@ employee working remotely?
 [[unusual-windows-remote-user-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc
index 8ae8c78615..32740cf331 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-service.asciidoc
@@ -31,14 +31,16 @@ been installed and run as a service.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<unusual-windows-service-history, version history>>)
+*Version*: 3 (<<unusual-windows-service-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -51,6 +53,9 @@ A newly installed program or one that runs rarely as part of a monthly or quarte
 [[unusual-windows-service-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-calling-the-metadata-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-calling-the-metadata-service.asciidoc
new file mode 100644
index 0000000000..e5c3d972e0
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-calling-the-metadata-service.asciidoc
@@ -0,0 +1,41 @@
+[[unusual-windows-user-calling-the-metadata-service]]
+=== Unusual Windows User Calling the Metadata Service
+
+Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
+
+*Rule type*: machine_learning
+
+*Machine learning job*: windows_rare_metadata_user
+
+*Machine learning anomaly threshold*: 75
+
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 15 minutes
+
+*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* ML
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Potential false positives
+
+A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc
index 38f59535d1..d1ee6b1a9a 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-user-privilege-elevation-activity.asciidoc
@@ -31,14 +31,16 @@ than by regular Windows users.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<unusual-windows-user-privilege-elevation-activity-history, version history>>)
+*Version*: 3 (<<unusual-windows-user-privilege-elevation-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -51,6 +53,9 @@ Uncommon user privilege elevation activity can be due to an administrator, help
 [[unusual-windows-user-privilege-elevation-activity-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc
index dda33c1db9..404cd7f8a5 100644
--- a/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/unusual-windows-username.asciidoc
@@ -35,14 +35,16 @@ another.
 *Tags*:
 
 * Elastic
-* ML
+* Host
 * Windows
+* Threat Detection
+* ML
 
-*Version*: 2 (<<unusual-windows-username-history, version history>>)
+*Version*: 3 (<<unusual-windows-username-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -75,6 +77,9 @@ Office application, this process could be more suspicious.
 [[unusual-windows-username-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc
index fdfc6634c5..eeac0032e2 100644
--- a/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/user-account-creation.asciidoc
@@ -24,13 +24,16 @@ attackers to increase access to a system or domain.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Persistence
 
-*Version*: 4 (<<user-account-creation-history, version history>>)
+*Version*: 5 (<<user-account-creation-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -62,6 +65,9 @@ and process.args:(user and (/ad or /add))
 [[user-account-creation-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/user-added-as-owner-for-azure-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/user-added-as-owner-for-azure-application.asciidoc
new file mode 100644
index 0000000000..504911c483
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/user-added-as-owner-for-azure-application.asciidoc
@@ -0,0 +1,63 @@
+[[user-added-as-owner-for-azure-application]]
+=== User Added as Owner for Azure Application
+
+Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add
+owner to application" and event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/user-added-as-owner-for-azure-service-principal.asciidoc b/docs/detections/prebuilt-rules/rule-details/user-added-as-owner-for-azure-service-principal.asciidoc
new file mode 100644
index 0000000000..5ac39521f4
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/user-added-as-owner-for-azure-service-principal.asciidoc
@@ -0,0 +1,67 @@
+[[user-added-as-owner-for-azure-service-principal]]
+=== User Added as Owner for Azure Service Principal
+
+Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-25m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
+
+*Tags*:
+
+* Elastic
+* Cloud
+* Azure
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+The Azure Filebeat module must be enabled to use this rule.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add
+owner to service principal" and event.outcome:Success
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
diff --git a/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc b/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc
index 73361d9b52..b1967184e3 100644
--- a/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/user-discovery-via-whoami.asciidoc
@@ -24,13 +24,16 @@ tools and persistence mechanisms to test for privileged access.
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Discovery
 
-*Version*: 4 (<<user-discovery-via-whoami-history, version history>>)
+*Version*: 5 (<<user-discovery-via-whoami-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -65,6 +68,9 @@ process.name:whoami
 [[user-discovery-via-whoami-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc b/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc
index 2d80e46ed8..8a9bf077cc 100644
--- a/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc
@@ -23,13 +23,16 @@ An adversary may attempt to get detailed information about the operating system
 *Tags*:
 
 * Elastic
+* Host
 * Linux
+* Threat Detection
+* Discovery
 
-*Version*: 3 (<<virtual-machine-fingerprinting-history, version history>>)
+*Version*: 4 (<<virtual-machine-fingerprinting-history, version history>>)
 
 *Added ({stack} release)*: 7.8.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -66,6 +69,9 @@ or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root
 [[virtual-machine-fingerprinting-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc
index a5931b2bd5..c1afe501a0 100644
--- a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-from-the-internet.asciidoc
@@ -13,6 +13,7 @@ threat actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: high
 
@@ -27,13 +28,16 @@ threat actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<vnc-virtual-network-computing-from-the-internet-history, version history>>)
+*Version*: 5 (<<vnc-virtual-network-computing-from-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -64,7 +68,7 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 ** ID: TA0011
 ** Reference URL: https://attack.mitre.org/tactics/TA0011/
 * Technique:
-** Name: Remote Access Tools
+** Name: Remote Access Software
 ** ID: T1219
 ** Reference URL: https://attack.mitre.org/techniques/T1219/
 
@@ -81,6 +85,9 @@ source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 [[vnc-virtual-network-computing-from-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc
index 2bf90fc724..2f7e33b111 100644
--- a/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/vnc-virtual-network-computing-to-the-internet.asciidoc
@@ -13,6 +13,7 @@ actors as an initial access or back-door vector.
 
 * filebeat-*
 * packetbeat-*
+* logs-endpoint.events.*
 
 *Severity*: medium
 
@@ -27,13 +28,16 @@ actors as an initial access or back-door vector.
 *Tags*:
 
 * Elastic
+* Host
 * Network
+* Threat Detection
+* Command and Control
 
-*Version*: 4 (<<vnc-virtual-network-computing-to-the-internet-history, version history>>)
+*Version*: 5 (<<vnc-virtual-network-computing-to-the-internet-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -64,13 +68,16 @@ destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
 ** ID: TA0011
 ** Reference URL: https://attack.mitre.org/tactics/TA0011/
 * Technique:
-** Name: Remote Access Tools
+** Name: Remote Access Software
 ** ID: T1219
 ** Reference URL: https://attack.mitre.org/techniques/T1219/
 
 [[vnc-virtual-network-computing-to-the-internet-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.0 release)::
 * Updated query, changed from:
 +
diff --git a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc
index 72f55b5c9a..f0856078dc 100644
--- a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-vssadmin.asciidoc
@@ -24,13 +24,16 @@ commonly occurs in tandem with ransomware or other destructive attacks.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<volume-shadow-copy-deletion-via-vssadmin-history, version history>>)
+*Version*: 5 (<<volume-shadow-copy-deletion-via-vssadmin-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -61,6 +64,9 @@ process.name:vssadmin.exe and process.args:(delete and shadows)
 [[volume-shadow-copy-deletion-via-vssadmin-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc
index 6707cb4df5..d061669e37 100644
--- a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc
@@ -24,13 +24,16 @@ commonly occurs in tandem with ransomware or other destructive attacks.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 4 (<<volume-shadow-copy-deletion-via-wmic-history, version history>>)
+*Version*: 5 (<<volume-shadow-copy-deletion-via-wmic-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -61,6 +64,9 @@ process.name:WMIC.exe and process.args:(delete and shadowcopy)
 [[volume-shadow-copy-deletion-via-wmic-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc
index 07c8c643e6..4db931e5b0 100644
--- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-no-user-agent.asciidoc
@@ -26,14 +26,14 @@ string.
 
 *Tags*:
 
-* APM
 * Elastic
+* APM
 
-*Version*: 3 (<<web-application-suspicious-activity-no-user-agent-history, version history>>)
+*Version*: 4 (<<web-application-suspicious-activity-no-user-agent-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -77,6 +77,9 @@ url.path:*
 [[web-application-suspicious-activity-no-user-agent-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc
index 573a645f69..f327de0aae 100644
--- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-post-request-declined.asciidoc
@@ -27,14 +27,14 @@ not allowed.
 
 *Tags*:
 
-* APM
 * Elastic
+* APM
 
-*Version*: 3 (<<web-application-suspicious-activity-post-request-declined-history, version history>>)
+*Version*: 4 (<<web-application-suspicious-activity-post-request-declined-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -56,6 +56,9 @@ http.response.status_code:403 and http.request.method:post
 [[web-application-suspicious-activity-post-request-declined-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc
index 4a5b0dbe30..15deb07f63 100644
--- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-sqlmap-user-agent.asciidoc
@@ -27,14 +27,14 @@ for testing web applications for SQL injection vulnerabilities.
 
 *Tags*:
 
-* APM
 * Elastic
+* APM
 
-*Version*: 3 (<<web-application-suspicious-activity-sqlmap-user-agent-history, version history>>)
+*Version*: 4 (<<web-application-suspicious-activity-sqlmap-user-agent-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -56,6 +56,9 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
 [[web-application-suspicious-activity-sqlmap-user-agent-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc
index 105173e6b8..3b98a368a8 100644
--- a/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc
@@ -27,14 +27,14 @@ allowed for the resource.
 
 *Tags*:
 
-* APM
 * Elastic
+* APM
 
-*Version*: 3 (<<web-application-suspicious-activity-unauthorized-method-history, version history>>)
+*Version*: 4 (<<web-application-suspicious-activity-unauthorized-method-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -56,6 +56,9 @@ http.response.status_code:405
 [[web-application-suspicious-activity-unauthorized-method-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Formatting only
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc
index b8ca3f3174..f11314a6b3 100644
--- a/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/whoami-process-activity.asciidoc
@@ -9,6 +9,7 @@ information for the user who is currently logged on to the local system.
 *Rule indices*:
 
 * winlogbeat-*
+* logs-endpoint.events.*
 
 *Severity*: low
 
@@ -23,13 +24,16 @@ information for the user who is currently logged on to the local system.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Discovery
 
-*Version*: 3 (<<whoami-process-activity-history, version history>>)
+*Version*: 4 (<<whoami-process-activity-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -44,7 +48,8 @@ Some normal use of this program, at varying levels of frequency, may originate f
 
 [source,js]
 ----------------------------------
-process.name:whoami.exe and event.code:1
+event.category:process and event.type:(start or process_started) and
+process.name:whoami.exe
 ----------------------------------
 
 ==== Threat mapping
@@ -63,6 +68,14 @@ process.name:whoami.exe and event.code:1
 [[whoami-process-activity-history]]
 ==== Rule version history
 
+Version 4 (7.10.0 release)::
+* Updated query, changed from:
++
+[source, js]
+----------------------------------
+process.name:whoami.exe and event.code:1
+----------------------------------
+
 Version 3 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc
index 99ce89ef4e..865f20d965 100644
--- a/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball.asciidoc
@@ -26,13 +26,16 @@ source.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Defense Evasion
 
-*Version*: 2 (<<windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball-history, version history>>)
+*Version*: 3 (<<windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball-history, version history>>)
 
 *Added ({stack} release)*: 7.7.0
 
-*Last modified ({stack} release)*: 7.9.0
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ message:"[CVE-2020-0601]"
 [[windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball-history]]
 ==== Rule version history
 
+Version 3 (7.10.0 release)::
+* Formatting only
+
 Version 2 (7.9.0 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc
index d59440e62d..17ba307a17 100644
--- a/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc
+++ b/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc
@@ -25,13 +25,16 @@ script, may be indicative of malicious activity.
 *Tags*:
 
 * Elastic
+* Host
 * Windows
+* Threat Detection
+* Execution
 
-*Version*: 4 (<<windows-script-executing-powershell-history, version history>>)
+*Version*: 5 (<<windows-script-executing-powershell-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
-*Last modified ({stack} release)*: 7.9.1
+*Last modified ({stack} release)*: 7.10.0
 
 *Rule authors*: Elastic
 
@@ -63,6 +66,9 @@ process.name:powershell.exe
 [[windows-script-executing-powershell-history]]
 ==== Rule version history
 
+Version 5 (7.10.0 release)::
+* Formatting only
+
 Version 4 (7.9.1 release)::
 * Formatting only
 
diff --git a/docs/detections/prebuilt-rules/rule-details/windows-suspicious-script-object-execution.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-suspicious-script-object-execution.asciidoc
new file mode 100644
index 0000000000..f14d8c5183
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/windows-suspicious-script-object-execution.asciidoc
@@ -0,0 +1,68 @@
+[[windows-suspicious-script-object-execution]]
+=== Windows Suspicious Script Object Execution
+
+Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: medium
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Host
+* Windows
+* Threat Detection
+* Defense Evasion
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+/* add winlogbeat-* when process.code_signature.* fields are populated
+*/ sequence by process.entity_id with maxspan=2m [process where
+event.type in ("start", "process_started") and /* uncomment once
+in winlogbeat */ /* process.code_signature.subject_name ==
+"Microsoft Corporation" and process.code_signature.trusted == true and
+*/ not (process.name : "cscript.exe" or process.name :
+"iexplore.exe" or process.name : "MicrosoftEdge.exe" or
+process.name : "msiexec.exe" or process.name :
+"smartscreen.exe" or process.name : "taskhostw.exe" or
+process.name : "w3wp.exe" or process.name : "wscript.exe")]
+[library where event.type == "start" and file.name : "scrobj.dll"]
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Defense Evasion
+** ID: TA0005
+** Reference URL: https://attack.mitre.org/tactics/TA0005/
+* Technique:
+** Name: Scripting
+** ID: T1064
+** Reference URL: https://attack.mitre.org/techniques/T1064/
diff --git a/docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc b/docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc
new file mode 100644
index 0000000000..6c981141ec
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc
@@ -0,0 +1,69 @@
+[[wpad-service-exploit]]
+=== WPAD Service Exploit
+
+Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise.
+
+*Rule type*: eql
+
+*Rule indices*:
+
+* logs-endpoint.events.*
+* winlogbeat-*
+
+*Severity*: high
+
+*Risk score*: 21
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*Tags*:
+
+* Elastic
+* Windows
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+/* preference would be to use user.sid rather than domain+name, once
+it is available in ECS + datasources */ sequence with maxspan=5s
+[process where event.type in ("start", "process_started") and
+process.name == "svchost.exe" and user.domain == "NT AUTHORITY"
+and user.name == "LOCAL SERVICE"] by process.entity_id [network
+where network.protocol == "dns" and process.name == "svchost.exe" and
+dns.question.name == "wpad" and process.name == "svchost.exe"] by
+process.entity_id [network where event.type == "connection" and
+process.name == "svchost.exe" and network.direction == "outgoing"
+and destination.port == 80] by process.entity_id [library where
+event.type == "start" and process.name == "svchost.exe" and
+file.name == "jscript.dll" and process.name == "svchost.exe"] by
+process.entity_id [process where event.type in ("start",
+"process_started") and process.parent.name == "svchost.exe"] by
+process.parent.entity_id
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Execution
+** ID: TA0002
+** Reference URL: https://attack.mitre.org/tactics/TA0002/
+* Technique:
+** Name: Exploitation for Privilege Escalation
+** ID: T1068
+** Reference URL: https://attack.mitre.org/techniques/T1068/
diff --git a/docs/detections/prebuilt-rules/rule-details/zoom-meeting-with-no-passcode.asciidoc b/docs/detections/prebuilt-rules/rule-details/zoom-meeting-with-no-passcode.asciidoc
new file mode 100644
index 0000000000..87e9483886
--- /dev/null
+++ b/docs/detections/prebuilt-rules/rule-details/zoom-meeting-with-no-passcode.asciidoc
@@ -0,0 +1,70 @@
+[[zoom-meeting-with-no-passcode]]
+=== Zoom Meeting with no Passcode
+
+This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
+
+*Rule type*: query
+
+*Rule indices*:
+
+* filebeat-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5 minutes
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*:
+
+* https://blog.zoom.us/a-message-to-our-users/
+* https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
+
+*Tags*:
+
+* Elastic
+* Application
+* Communication
+* Zoom
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 1
+
+*Added ({stack} release)*: 7.10.0
+
+*Rule authors*: Elastic
+
+*Rule license*: Elastic License
+
+==== Investigation guide
+
+This rule requires the Zoom Filebeat module.
+
+==== Rule query
+
+
+[source,js]
+----------------------------------
+event.type:creation and event.module:zoom and
+event.dataset:zoom.webhook and event.action:meeting.created and not
+zoom.meeting.password:*
+----------------------------------
+
+==== Threat mapping
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Initial Access
+** ID: TA0001
+** Reference URL: https://attack.mitre.org/tactics/TA0001/
+* Technique:
+** Name: Exploit Public-Facing Application
+** ID: T1190
+** Reference URL: https://attack.mitre.org/techniques/T1190/
diff --git a/prebuilt-rules-scripts/create-json-from-docs.py b/prebuilt-rules-scripts/create-json-from-docs.py
index 40d4a44dc6..f7ae25d1c0 100644
--- a/prebuilt-rules-scripts/create-json-from-docs.py
+++ b/prebuilt-rules-scripts/create-json-from-docs.py
@@ -9,7 +9,7 @@
 # Creates a JSON file from the existing prebuilt rules documentation and saves
 # it in the diff-files folder.
 
-releaseVersion = "7.9.1" #Security app release version - update as required
+releaseVersion = "7.10.0" #Security app release version - update as required
 
 def sort_by_name(rule):
     '''
diff --git a/prebuilt-rules-scripts/create_documentation.py b/prebuilt-rules-scripts/create_documentation.py
index cf169a321d..11e0dd5e1b 100644
--- a/prebuilt-rules-scripts/create_documentation.py
+++ b/prebuilt-rules-scripts/create_documentation.py
@@ -10,7 +10,7 @@
 # are generated, even those that have not been changed, so you can just copy and
 # paste the updated files to the documentation folders.
 
-releaseVersion = "7.9.1" # Security app release version - update as required
+releaseVersion = "7.10.0" # Security app release version - update as required
 
 def sort_by_name(rule):
     '''
@@ -108,7 +108,7 @@ def formatText(text):
 newText = newText + "|=============================================="
 
 fileWrite = "generated-ascii-files" + "/" + "prebuilt-rules-reference.asciidoc"
-with open(fileWrite, "w") as writeFile:
+with open(fileWrite, "w+") as writeFile:
         writeFile.write(newText)
     
         
@@ -242,7 +242,7 @@ def formatText(text):
                 fileText = fileText + "* " + i['doc_text'] + "\n\n"
             ruleNameChanged = False
     asciidocFile = "generated-ascii-files/rule-details/" + rule_link + ".asciidoc"
-    with open(asciidocFile, "w") as asciiWrite:
+    with open(asciidocFile, "w+") as asciiWrite:
         asciiWrite.write(fileText)
     rules_index_file.append("include::rule-details/" + rule_link + ".asciidoc[]")
 
@@ -254,7 +254,7 @@ def formatText(text):
     index_file_text += index_link + "\n"
 
 indexFileWrite = "generated-ascii-files" + "/" + "rule-desc-index.asciidoc"
-with open(indexFileWrite, "w") as indexFileWrite:
+with open(indexFileWrite, "w+") as indexFileWrite:
         indexFileWrite.write(index_file_text)
 
 # Print files of rules with changed names to terminal
@@ -311,6 +311,7 @@ def addVersionUpdates(updated):
                     linkString = re.sub('/', '-', linkString)
                     versionHistoryPage = versionHistoryPage + "<<" + linkString + ">>\n\n"
 
+addVersionUpdates("7.10.0")
 addVersionUpdates("7.9.0")
 addVersionUpdates("7.8.0")
 addVersionUpdates("7.7.0")
@@ -318,5 +319,5 @@ def addVersionUpdates(updated):
 addVersionUpdates("7.6.1")       
 
 fileWrite = "generated-ascii-files" + "/" + "prebuilt-rules-changelog.asciidoc"
-with open(fileWrite, "w") as writeFile:
+with open(fileWrite, "w+") as writeFile:
         writeFile.write(versionHistoryPage)
diff --git a/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-7.10.0.json b/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-7.10.0.json
new file mode 100644
index 0000000000..17e215e673
--- /dev/null
+++ b/prebuilt-rules-scripts/diff-files/final-files/final-rule-file-7.10.0.json
@@ -0,0 +1,19690 @@
+[
+  {
+    "author": [
+      "Nick Jones",
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to access the secrets in AWS Secrets Manager to steal\ncertificates, credentials, or other sensitive material.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be using\nGetSecretString API for the specified SecretId. If a known behavior is causing\nfalse positives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Access Secret in Secrets Manager",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+    "references": [
+      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for\ndelivery of log data.",
+    "false_positives": [
+      "Trail creations may be made by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Trail creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Created",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in\nan attempt to evade defenses.",
+    "false_positives": [
+      "Trail deletions may be made by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Trail deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Deleted",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for\nthe specified trail. An adversary may suspend trails in an attempt to evade\ndefenses.",
+    "false_positives": [
+      "Suspending the recording of a trail may be done by a system or network\nadministrator. Verify whether the user identity, user agent, and/or hostname\nshould be making changes in your environment. Trail suspensions from unfamiliar\nusers or hosts should be investigated. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Suspended",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of\nlog files.",
+    "false_positives": [
+      "Trail updates may be made by a system or network administrator. Verify whether\nthe user identity, user agent, and/or hostname should be making changes in your\nenvironment. Trail updates from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Updated",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete\nalarms in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Alarm deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudWatch Alarm Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specific AWS CloudWatch log group. When a log\ngroup is deleted, all the archived log events associated with the log group are\nalso permanently deleted.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Log group deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudWatch Log Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently\ndeletes all associated archived log events with the stream.",
+    "false_positives": [
+      "A log stream may be deleted by a system administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Log stream deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may\ntamper with Config rules in order to reduce visibility into the security\nposture of an account and/or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may make changes to the\nConfig rules in order to align with local security policies and\nrequirements. Automation, orchestration, and security tools may also make\nchanges to the Config service, when they are used to automate setup or\nconfiguration of AWS accounts. Other types of user or service contexts do not\ncommonly make changes to this service."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Config Service Tampering",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+    "references": [
+      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an AWS configuration change to stop recording a designated set of\nresources.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Recording changes from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Configuration Recorder Stopped",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption\nin the current region. Disabling default encryption does not change the\nencryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Disabling encryption by unfamiliar users or hosts should\nbe investigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Encryption Disabled",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud\n(EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Flow log deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Flow Log Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access\ncontrol list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACLs may be created by a network administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Network ACL creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Network Access Control List Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access\ncontrol list (ACL) or one of its ingress/egress entries.",
+    "false_positives": [
+      "Network ACLs may be deleted by a network administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Network ACL deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are\nsometimes shared by threat actors in order to exfiltrate bulk data from an EC2\nfleet. If the permissions were modified, verify the snapshot was not shared\nwith an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account\nbelonging to the same organization. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Snapshot Activity",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution\nmethods such as RunShellScript, RunPowerShellScript, and alike can be abused by\nan authenticated attacker to install a backdoor or to interact with a\ncompromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Suspicious commands from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Execution via System Manager",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1086",
+            "name": "PowerShell",
+            "reference": "https://attack.mitre.org/techniques/T1086/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion,\nGuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator.\nVerify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Detector deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS GuardDuty Detector Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may\nattempt to modify the AssumeRolePolicy of a misconfigured role in order to gain\nthe privileges of that role.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Policy updates from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Assume Role Policy Update",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+    "references": [
+      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+    ],
+    "risk_score": 21,
+    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access\nManagement (IAM) role. IAM roles are used to delegate access to users or\nservices. An adversary may attempt to enumerate IAM roles in order to determine\nif a role exists before attempting to assume or hijack the discovered role.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+    "references": [
+      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
+      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "",
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deactivation of a specific multi-factor authentication (MFA)\ndevice and removes its association with the user name for which it was\noriginally enabled. In AWS Identity and Access Management (IAM), a device must\nbe deactivated before it can be deleted.",
+    "false_positives": [
+      "A MFA device may be deactivated by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. MFA device deactivations from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Deactivation of MFA Device",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM).\nGroups specify permissions for multiple users. All users in a group\nautomatically have the permissions that are assigned to the group.",
+    "false_positives": [
+      "A group may be created by a system or network administrator. Verify whether the\nuser identity, user agent, and/or hostname should be making changes in your\nenvironment. Group creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Group Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specific AWS Identity and Access Management (IAM)\nresource group. Deleting a resource group does not delete resources that are\nmembers of the group, only the group structure.",
+    "false_positives": [
+      "A resource group may be deleted by a system administrator. Verify whether the\nuser identity, user agent, and/or hostname should be making changes in your\nenvironment. Resource group deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain\nunauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be\nrequesting changes in your environment. Password reset attempts from unfamiliar\nusers should be investigated. If a known behavior is causing false positives,\nit can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Password Recovery Requested",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
+    ],
+    "risk_score": 21,
+    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the addition of a user to a specific group in AWS Identity and\nAccess Management (IAM).",
+    "false_positives": [
+      "Adding users to a specific group may be done by a system or network\nadministrator. Verify whether the user identity, user agent, and/or hostname\nshould be making changes in your environment. User additions from unfamiliar\nusers or hosts should be investigated. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM User Addition to Group",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "cloud.account.id",
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks,\nincluding administrative tasks. Verify whether the IP address, location, and/or\nhostname should be logging in as root in your environment. Unfamiliar root\nlogins should be investigated immediately. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Management Console Root Login",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:ConsoleLogin and event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS)\nAurora DB cluster or global database spread across multiple regions.",
+    "false_positives": [
+      "Valid clusters may be created by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Cluster creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS RDS Cluster Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora\ndatabase cluster or global database cluster.",
+    "false_positives": [
+      "Clusters may be deleted by a system administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Cluster deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS RDS Cluster Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
+    "false_positives": [
+      "Valid clusters or instances may be stopped by a system administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Cluster or instance stoppages from unfamiliar users or\nhosts should be investigated. If a known behavior is causing false positives,\nit can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor\nauthentication (MFA). Amazon AWS best practices indicate that the root user\nshould be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow root-user logins without MFA, however this is not\nconsidered best practice by AWS and increases the risk of compromised\ncredentials."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Root Login Without MFA",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket\nconfiguration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Bucket component deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF)\naccess control list.",
+    "false_positives": [
+      "Firewall ACLs may be deleted by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Web ACL deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS WAF Access Control List Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specific AWS Web Application Firewall (WAF) rule\nor rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator.\nVerify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Rule deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:aws and event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
+    "false_positives": [
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+    ],
+    "index": [
+      "packetbeat-*",
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Abnormally Large DNS Response",
+    "note": "Detection alerts from this rule indicate an attempt was made to exploit\nCVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS\nserver. Here are some possible avenues of investigation:\n\n* Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n* Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n* Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n* Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.",
+    "query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 47,
+    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can add the `hidden` attribute to files to hide them from the user\nin an attempt to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Adding Hidden File Attribute via Attrib",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+    "risk_score": 21,
+    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to assign administrator privileges to an Okta group in\norder to assign additional permissions to compromised user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if\nadministrator privileges are regularly assigned to Okta groups in your\norganization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Administrator Privileges Assigned to Okta Group",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:group.privilege.grant",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:group.privilege.grant",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation of an executable file or files that will be automatically\nrun by Acrobat Reader when it starts.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Adobe Hijack Persistence",
+    "query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+    "risk_score": 21,
+    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1044",
+            "name": "File System Permissions Weakness",
+            "reference": "https://attack.mitre.org/techniques/T1044/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.2",
+          "pre_query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Adversary Behavior - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+    "risk_score": 47,
+    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Adversary Behavior - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Adversary Behavior - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Persistence\n** ID: TA0003\n** Reference URL: https://attack.mitre.org/tactics/TA0003/\n* Technique:\n** Name: Kernel Modules and Extensions\n** ID: T1215\n** Reference URL: https://attack.mitre.org/techniques/T1215/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
+    "name": "Anomalous Kernel Module Activity",
+    "references": [
+      "references"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
+    "false_positives": [
+      "Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_user_compiler",
+    "name": "Anomalous Linux Compiler Activity",
+    "risk_score": 21,
+    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet\nor network. This reduces the detection of false positives since automated\nmaintenance processes usually only run occasionally on a single machine but are\ncommon to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs",
+    "name": "Anomalous Process For a Linux Population",
+    "note": "Alerts from this rule indicate the presence of a Linux process that is rare\nand unusual for all of the monitored Linux hosts for which Auditbeat data is\navailable. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or\nnetwork. This reduces the detection of false positives since automated\nmaintenance processes usually only run occasionally on a single machine but are\ncommon to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs",
+    "name": "Anomalous Process For a Windows Population",
+    "note": "Alerts from this rule indicate the presence of a Windows process that is rare\nand unusual for all of the Windows hosts for which Winlogbeat data is\navailable. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n* Examine the process metadata like the values of the Company, Description and\nProduct fields, which may indicate whether the program is associated with an\nexpected software vendor or package.\n* Examine arguments and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.\n* Consider the same for the parent process. If the parent process is\na legitimate system utility or service, this could be related to software\nupdates or system management. If the parent process is something user-facing\nlike an Office application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual parent-child process relationships that can indicate malware\nexecution or persistence mechanisms. Malicious scripts often call on other\napplications and processes as part of their exploit payload. For example, when a\nmalicious Office document runs scripts as part of an exploit payload, Excel or\nWord may start a script interpreter process, which, in turn, runs a script that\ndownloads and executes malware. Another common scenario is Outlook running an\nunusual process when malware is downloaded in an email. Monitoring and\nidentifying anomalous process relationships is a method of detecting new and\nemerging malware that is not yet recognized by anti-virus scanners.",
+    "false_positives": [
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_process_creation",
+    "name": "Anomalous Windows Process Creation",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may create an Okta API token to maintain access to an\norganization's network while they work to achieve their objectives. An attacker\nmay abuse an API token to execute techniques such as creating user accounts, or\ndisabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Create Okta API Token",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.create",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:system.api_token.create",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may deactivate multi-factor authentication (MFA) for an Okta user\naccount in order to weaken the authentication requirements for the account.",
+    "false_positives": [
+      "If the behavior of deactivating MFA for Okta user accounts is expected,\nconsider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Deactivate MFA for Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to deactivate an Okta multi-factor authentication\n(MFA) rule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA\nrules are regularly deactivated in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Deactivate Okta MFA Rule",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.rule.deactivate",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to deactivate an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\ndeactivate an Okta multi-factor authentication (MFA) policy in order to weaken\nthe authentication requirements for user accounts.",
+    "false_positives": [
+      "If the behavior of deactivating Okta policies is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Deactivate Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to delete an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\ndelete an Okta multi-factor authentication (MFA) policy in order to weaken the\nauthentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta\npolicies are regularly deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Delete Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.delete",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to disable ip tables or a firewall service, a technique\nadversaries can use to modify the network traffic hosts are allowed to send and\nreceive.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Disable IPTables or Firewall",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+    "risk_score": 47,
+    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to disable the `syslog` service, a technique adversaries can\nuse to disrupt event logging and evade detection by security controls.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Disable Syslog Service",
+    "query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+    "risk_score": 47,
+    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify an Okta multi-factor authentication (MFA)\nrule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA\nrules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Modify Okta MFA Rule",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Okta network zones can be configured to limit or restrict access to a network\nbased on IP addresses or geolocations. An adversary may attempt to modify,\ndelete, or deactivate an Okta network zone in order to remove or weaken an\norganization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your\norganization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Modify Okta Network Zone",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\nmodify an Okta multi-factor authentication (MFA) policy in order to weaken the\nauthentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta\npolicies are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Modify Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:policy.lifecycle.update",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to remove the multi-factor authentication (MFA)\nfactors registered on an Okta user's account in order to register new MFA\nfactors and abuse the account to blend in with normal activity in the victim's\nenvironment.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if the MFA\nfactors for Okta user accounts are regularly reset in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Reset MFA Factors for Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to\nrevoke or delete an Okta API token to disrupt an organization's business\noperations.",
+    "false_positives": [
+      "If the behavior of revoking Okta API tokens is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Revoke Okta API Token",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.revoke",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:system.api_token.revoke",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to bypass the Okta multi-factor authentication (MFA)\npolicies configured for an organization in order to obtain unauthorized access\nto an application. This rule detects when an Okta MFA bypass attempt occurs.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempted Bypass of Okta MFA",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 73,
+    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1111",
+            "name": "Two-Factor Authentication Interception",
+            "reference": "https://attack.mitre.org/techniques/T1111/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "from": "now-180m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempts to Brute Force an Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.lock",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "okta.actor.id",
+      "value": 3
+    },
+    "type": "threshold",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Account Created",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Runbook Created or Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Runbook Deleted",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Webhook Created",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
+    ],
+    "risk_score": 21,
+    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "to": "now-25m",
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Blob Container Access Level Modification",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+    ],
+    "risk_score": 21,
+    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1526",
+            "name": "Cloud Service Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1526/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
+    "false_positives": [
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Command Execution on Virtual Machine",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:Success",
+    "references": [
+      "https://adsecurity.org/?p=4277",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+    ],
+    "risk_score": 47,
+    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Conditional Access Policy Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Diagnostic Settings Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+    ],
+    "risk_score": 47,
+    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
+    "false_positives": [
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+    ],
+    "risk_score": 47,
+    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Event Hub Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
+      "https://azure.microsoft.com/en-in/services/event-hubs/",
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
+    "false_positives": [
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure External Guest User Invitation",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
+    ],
+    "risk_score": 21,
+    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Firewall Policy Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
+    "false_positives": [
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+    ],
+    "risk_score": 73,
+    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
+    "false_positives": [
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Key Vault Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
+    ],
+    "risk_score": 47,
+    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1081",
+            "name": "Credentials in Files",
+            "reference": "https://attack.mitre.org/techniques/T1081/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Network Watcher Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Privilege Identity Management Role Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
+    ],
+    "risk_score": 47,
+    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
+    "false_positives": [
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Resource Group Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Storage Account Key Regenerated",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+    ],
+    "risk_score": 21,
+    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+    "risk_score": 21,
+    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Base64 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
+    "risk_score": 21,
+    "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via `eventvwr.exe.` Attackers\nbypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Bypass UAC via Event Viewer",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+    "risk_score": 21,
+    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1088",
+            "name": "Bypass User Account Control",
+            "reference": "https://attack.mitre.org/techniques/T1088/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by\nattackers in an attempt to evade detection or destroy forensic evidence on a\nsystem.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Clearing Windows Event Logs",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+    "risk_score": 21,
+    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Cobalt Strike Command and Control Beacon",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+    "references": [
+      "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `cmd.exe` making a network connection. Adversaries can abuse\n`cmd.exe` to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Command Prompt Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Compression of Keychain Credentials Directories",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")",
+    "references": [
+      "https://objective-see.com/blog/blog_0x25.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1142",
+            "name": "Keychain",
+            "reference": "https://attack.mitre.org/techniques/T1142/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Connection to External Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n                                  \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n",
+    "risk_score": 47,
+    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Connection to Internal Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n",
+    "risk_score": 47,
+    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:(connection or start) and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Users can mark specific files as hidden simply by adding a `.` as the first\ncharacter in the file or folder name. Adversaries can use this to their\nadvantage to hide files and folders on the system for persistence and defense\nevasion. This rule looks for hidden files or folders in common writable\ndirectories.",
+    "false_positives": [
+      "Certain tools may create hidden temporary files or directories upon\ninstallation or as part of their normal behavior. These events can be filtered\nby the process arguments, username, or process name values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Creation of Hidden Files and Directories",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+    "risk_score": 47,
+    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "note": "Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
+    "query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
+    "references": [
+      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
+      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1145",
+            "name": "Private Keys",
+            "reference": "https://attack.mitre.org/techniques/T1145/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
+    "risk_score": 21,
+    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Dumping - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+    "risk_score": 73,
+    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Dumping - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+    "risk_score": 47,
+    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Dumping - Prevented - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Manipulation - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+    "risk_score": 73,
+    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Manipulation - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+    "risk_score": 47,
+    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Credential Manipulation - Prevented - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an internal network client sends DNS traffic directly to the\nInternet. This is atypical behavior for a managed network, and can be indicative\nof malware, exfiltration, command and control, or, simply, misconfiguration.\nThis DNS activity also impacts your organization's ability to provide enterprise\nmonitoring and logging of DNS, and opens your network to a variety of abuses and\nmalicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "DNS Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+    "references": [
+      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
+      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "destination.port:53 and (\n network.direction: outbound or (\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\\:\\:fb or 255.255.255.255 )\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects unusually large numbers of DNS queries for a single top-level DNS\ndomain, which is often used for DNS tunneling. DNS tunneling can be used for\ncommand-and-control, persistence, or data exfiltration activity. For example,\n`dnscat` tends to generate many DNS questions for a top-level domain as it uses\nthe DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_dns_tunneling",
+    "name": "DNS Tunneling",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the `fsutil.exe` to delete the `USNJRNL` volume. This\ntechnique is used by attackers to eliminate evidence of files created during\npost-exploitation activities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Delete Volume USN Journal with Fsutil",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+    "risk_score": 21,
+    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the `wbadmin.exe` to delete the backup catalog. Ransomware and\nother malware may do this to prevent system recovery.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+    "risk_score": 21,
+    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to clear the bash command line history in an attempt to\nevade detection or forensic investigations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Deletion of Bash Command Line History",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+    "risk_score": 47,
+    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1146",
+            "name": "Clear Command History",
+            "reference": "https://attack.mitre.org/techniques/T1146/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unexpected processes making network connections over port 445.\nWindows File Sharing is typically implemented over Server Message Block (SMB),\nwhich communicates between hosts using port 445. When legitimate, these network\nconnections are established by the kernel. Processes making 445/tcp connections\nmay be port scanners, exploits, or suspicious user-level processes moving\nlaterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Direct Outbound SMB Connection",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the `netsh.exe` to disable or weaken the local firewall.\nAttackers will use this command line tool to disable the firewall during\ntroubleshooting or to enable network mobility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+    "risk_score": 47,
+    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of `certutil.exe` to encode or decode data. CertUtil is a\nnative Windows component which is part of Certificate Services. CertUtil is\noften abused by attackers to encode or decode base64 data for stealthier command\nand control or exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Encoding or Decoding Files via CertUtil",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+    "risk_score": 47,
+    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "enabled": true,
+    "exceptions_list": [
+      {
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
+      }
+    ],
+    "from": "now-10m",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 10000,
+    "name": "Endpoint Security",
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:(endpoint and not endgame)",
+          "doc_text": "Formatting only",
+          "pre_name": "Elastic Endpoint Security"
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enumerate information about a kernel module. Loadable\nKernel Modules (LKMs) are pieces of code that can be loaded and unloaded into\nthe kernel upon demand. They extend the functionality of the kernel without the\nneed to reboot the system.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Enumeration of Kernel Modules",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+    "risk_score": 47,
+    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          },
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          },
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          },
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          },
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe",
+    "risk_score": 73,
+    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "`RegSvcs.exe` and `RegAsm.exe` are Windows command line utilities that are used\nto register .NET Component Object Model (COM) assemblies. Adversaries can use\n`RegSvcs.exe` and `RegAsm.exe` to proxy execution of code through a trusted\nWindows utility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Execution via Regsvcs/Regasm",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)",
+    "risk_score": 21,
+    "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1121",
+            "name": "Regsvcs/Regasm",
+            "reference": "https://attack.mitre.org/techniques/T1121/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1121",
+            "name": "Regsvcs/Regasm",
+            "reference": "https://attack.mitre.org/techniques/T1121/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(RegAsm.exe or RegSvcs.exe) and event.action:\"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Exploit - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+    "risk_score": 73,
+    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Exploit - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+    "risk_score": 47,
+    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Exploit - Prevented - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert for each external alert written to the configured\nsecuritySolution:defaultIndex. Enabling this rule allows you to immediately\nbegin investigating external alerts in the app.",
+    "index": [
+      "apm-*-transaction*",
+      "auditbeat-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 10000,
+    "name": "External Alerts",
+    "query": "event.kind:alert and not event.module:(endgame or endpoint)",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Windows",
+      "APM",
+      "macOS",
+      "Linux"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and not event.module:(endgame or endpoint)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may indicate the use of FTP network connections to the\nInternet. The File Transfer Protocol (FTP) has been around in its current form\nsince the 1980s. It can be a common and efficient procedure on your network to\nsend and receive files. Because of this, adversaries will also often use this\nprotocol to exfiltrate data from your network or download new tools.\nAdditionally, FTP is a plain-text protocol which, if intercepted, may expose\nusernames and passwords. FTP activity involving servers subject to regulations\nor compliance standards may be unauthorized.",
+    "false_positives": [
+      "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "FTP (File Transfer Protocol) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: (20 or 21) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(20 or 21) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file deletions using the `shred` command. Malware or other files\ndropped or created on a system by an adversary may leave traces behind as to\nwhat was done within a network and how. Adversaries may remove these files over\nthe course of an intrusion to keep their footprint low or remove them at the\nend as part of the post-intrusion cleanup process.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "File Deletion via Shred",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+    "risk_score": 21,
+    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file permission modifications in common writable directories by a\nnon-root user. Adversaries often drop files or payloads into a writable\ndirectory, and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "File Permission Modification in Writable Directory",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+    "risk_score": 21,
+    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
+    "false_positives": [
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Firewall Rule Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.insert",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 21,
+    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Firewall Rule Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.delete",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Firewall Rule Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.patch",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP IAM Custom Role Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
+    "false_positives": [
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP IAM Role Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-roles"
+    ],
+    "risk_score": 21,
+    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP IAM Service Account Key Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Logging Bucket Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/buckets",
+      "https://cloud.google.com/logging/docs/storage"
+    ],
+    "risk_score": 47,
+    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Logging Sink Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/export"
+    ],
+    "risk_score": 47,
+    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Logging Sink Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+    ],
+    "risk_score": 21,
+    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Subscription Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Subscription Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Topic Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/admin"
+    ],
+    "risk_score": 21,
+    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Topic Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 21,
+    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Disabled",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
+    "false_positives": [
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Key Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
+    "false_positives": [
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Storage Bucket Configuration Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Storage Bucket Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.delete",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Storage Bucket Permissions Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.setIamPermissions and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
+    ],
+    "risk_score": 47,
+    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
+    "false_positives": [
+      "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Virtual Private Cloud Network Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.networks.delete and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/vpc/docs/vpc"
+    ],
+    "risk_score": 47,
+    "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 21,
+    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.routes.delete and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 47,
+    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Halfbaked Command and Control Beacon",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://attack.mitre.org/software/S0151/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Hex Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)",
+    "risk_score": 21,
+    "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed or process_started) and process.name:(hex or xxd)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "okta.actor.id",
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Hosts File Modified",
+    "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.",
+    "query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has\nthe ability to construct network packets for a wide variety of network security\ntesting applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Hping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+    "references": [
+      "https://en.wikipedia.org/wiki/Hping"
+    ],
+    "risk_score": 73,
+    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: (hping3 or hping2 or hping) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(hping or hping2 or hping3) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "IIS HTTP Logging Disabled",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
+    "risk_score": 73,
+    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a\nVPN technology that allows one system to talk to another using encrypted\ntunnels. NAT Traversal enables these tunnels to communicate over the Internet\nwhere one of the sides is behind a NAT router gateway. This may be common on\nyour network, but this technique is also used by threat actors to avoid\ndetection.",
+    "false_positives": [
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "IPSEC NAT Traversal Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+    "risk_score": 21,
+    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:udp and destination.port:4500",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that use common ports for Internet Relay Chat (IRC) to the\nInternet. IRC is a common protocol that can be used for chat and file transfers.\nThis protocol is also a good candidate for remote control of malware and data\ntransfers to and from a network.",
+    "false_positives": [
+      "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port:(6667 or 6697) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
+    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
+    "references": [
+      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
+    ],
+    "risk_score": 47,
+    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "InstallUtil Process Making Network Connections",
+    "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
+    "risk_score": 21,
+    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1118",
+            "name": "InstallUtil",
+            "reference": "https://attack.mitre.org/techniques/T1118/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Installation of Custom Shim Databases",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n     not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n     wildcard(registry.path, \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\")]\n",
+    "risk_score": 21,
+    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (`tty`) is spawned via Perl. Attackers may upgrade a\nsimple reverse shell to a fully interactive `tty` after obtaining initial\naccess to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Interactive Terminal Spawned via Perl",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+    "risk_score": 73,
+    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (`tty`) is spawned via Python. Attackers may upgrade\na simple reverse shell to a fully interactive `tty` after obtaining initial\naccess to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Interactive Terminal Spawned via Python",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+    "risk_score": 73,
+    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Kerberos Cached Credentials Dumping",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
+      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to remove a kernel module. Kernel modules are pieces of\ncode that can be loaded and unloaded into the kernel upon demand. They extend\nthe functionality of the kernel without the need to reboot the system.",
+    "false_positives": [
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Kernel Module Removal",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+    "references": [
+      "http://man7.org/linux/man-pages/man8/modprobe.8.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and (\"--remove\" or \"-r\"))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task can be used by an adversary to establish persistence, move\nlaterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Local Scheduled Task Commands",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+    "risk_score": 21,
+    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `sc.exe` to create, modify, or start services on remote hosts.\nThis could be indicative of adversary lateral movement but will be noisy if\ncommonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Local Service Commands",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+    "risk_score": 21,
+    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Malware - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+    "risk_score": 99,
+    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Malware - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+    "risk_score": 73,
+    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Malware - Prevented - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically\nlinked libraries) responsible for Windows credential management. This technique\nis sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+    "risk_score": 73,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: \"Image loaded (rule: ImageLoad)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script\nor the Visual C# Command Line Compiler. This technique is sometimes used to\ndeploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1500",
+            "name": "Compile After Delivery",
+            "reference": "https://attack.mitre.org/techniques/T1500/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or\nthe Windows command interpreter. This behavior is unusual and is sometimes used\nby malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:\"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or\nthe WMI (Windows Management Instrumentation) subsystem. This behavior is unusual\nand is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started by a System Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+    "risk_score": 47,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and event.action:\"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or\nWord. This is unusual behavior for the Build Engine and could have been caused\nby an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: \"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being\nrenamed. This is uncommon behavior and may indicate an attempt to run MSBuild\nunnoticed or undetected.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and not process.name: MSBuild.exe and event.action: \"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or winlog.event_data.OriginalFileName:aspnet_regiis.exe) and process.args:(connectionStrings and \"-pdf\")",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    ],
+    "risk_score": 73,
+    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "query": "event.category:process AND event.type:(start OR process_started) AND (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\\/[tT][eE][xX][tT]\\:[pP][aA][sS][sS][wW][oO][rR][dD]/)",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
+    ],
+    "risk_score": 73,
+    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the password log file from the default Mimikatz memssp module.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Mimikatz Memssp Log File Detected",
+    "query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe",
+    "risk_score": 73,
+    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Linux `mknod` program is sometimes used in the command payload of a remote\ncommand injection (RCI) and other exploits. It is used to export a command shell\nwhen the traditional version of `netcat` is not available to the payload.",
+    "false_positives": [
+      "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Mknod Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:mknod",
+    "references": [
+      "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/"
+    ],
+    "risk_score": 21,
+    "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: mknod and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:mknod and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:mknod",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:mknod",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `bcdedit.exe` to delete boot configuration data. Malware and\nattackers sometimes use this tactic as a destructive technique.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Modification of Boot Configuration",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+    "risk_score": 21,
+    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify or delete the sign on policy for an Okta\napplication in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on\npolicies for Okta applications are regularly modified or deleted in your\norganization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `MsBuild.exe` making outbound network connections. This may indicate\nadversarial activity as MsBuild is often leveraged by adversaries to execute\ncode and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "MsBuild Making Network Connections",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Mshta Making Network Connections",
+    "query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1170",
+            "name": "Mshta",
+            "reference": "https://attack.mitre.org/techniques/T1170/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:Success",
+    "risk_score": 47,
+    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a\ncomponent of the Windows operating system. It is used in command line operations\nfor control of users, groups, services, and network connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Net command via SYSTEM account",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+    "risk_score": 21,
+    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:\"Process Create (rule: ProcessCreate)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A `netcat` process is engaging in network activity on a Linux host. Netcat is\noften used as a persistence mechanism by exporting a reverse shell or by serving\na shell on a listening port. Netcat is also sometimes used for data\nexfiltration.",
+    "false_positives": [
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Netcat Network Activity",
+    "query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
+    "references": [
+      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+      "https://en.wikipedia.org/wiki/Netcat"
+    ],
+    "risk_score": 47,
+    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:(access or connection or start) and process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:(access or connection or start) and process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `certutil.exe` making a network connection. Adversaries could abuse\n`certutil.exe` to download a certificate or malware from a remote URL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Certutil",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft\nHTML Help system. Adversaries may conceal malicious code in a CHM file and\ndeliver it to a victim for execution. CHM content is loaded by the HTML Help\nexecutable program (`hh.exe`).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Compiled HTML File",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `msxsl.exe` making a network connection. This may indicate\nadversarial activity as `msxsl.exe` is often leveraged by adversaries to\nexecute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via MsXsl",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+    "false_positives": [
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Registration Utility",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1117",
+            "name": "Regsvr32",
+            "reference": "https://attack.mitre.org/techniques/T1117/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(regsvr32.exe or regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:(regsvr32.exe or regsvr64.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:(regsvr32.exe or regsvr64.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": "Network Connection via Regsvr"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems\nprotected by digital signature validation. Adversaries may use these binaries to\n'live off the land' and execute malicious files that could bypass application\nallowlists and signature validation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Signed Binary",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or\npacket sniffing tool that can be used to capture insecure credentials or data in\nmotion. Sniffing can also be used to discover details of network services as a\nprelude to lateral movement or defense evasion.",
+    "false_positives": [
+      "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Network Sniffing via Tcpdump",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump",
+    "risk_score": 21,
+    "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: tcpdump and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:tcpdump and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and\nsecurity testing. It can map and discover networks, and identify listening\nservices and operating systems. It is sometimes used to gather information in\nsupport of exploitation, execution or lateral movement.",
+    "false_positives": [
+      "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Nmap Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nmap",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 21,
+    "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: nmap",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:nmap",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nmap",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nmap",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the\nability to construct raw packets for a wide variety of security testing\napplications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Nping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 47,
+    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: nping and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:nping and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "source.ip",
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may indicate use of a PPTP VPN connection. Some threat\nactors use these types of connections to tunnel their traffic while avoiding\ndetection.",
+    "false_positives": [
+      "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "PPTP (Point to Point Tunneling Protocol) Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723",
+    "risk_score": 21,
+    "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:1723",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Permission Theft - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+    "risk_score": 73,
+    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Permission Theft - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+    "risk_score": 47,
+    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Permission Theft - Prevented - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies loadable kernel module errors, which are often indicative of\npotential persistence attempts.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Persistence via Kernel Module Modification",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)",
+    "references": [
+      "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM"
+    ],
+    "risk_score": 21,
+    "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(insmod or kmod or modprobe or rmod) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)",
+    "references": [
+      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
+    ],
+    "risk_score": 73,
+    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)",
+    "references": [
+      "https://github.com/irsl/CVE-2020-1313"
+    ],
+    "risk_score": 73,
+    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Possible Consent Grant Attack via Azure-Registered Application",
+    "note": "- The Azure Filebeat module must be enabled to use this rule.\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" ) and event.outcome:success",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
+          },
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to disrupt an organization's business operations by\nperforming a denial of service (DoS) attack against its Okta infrastructure.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Possible Okta DoS Attack",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1498",
+            "name": "Network Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1498/"
+          },
+          {
+            "id": "T1499",
+            "name": "Endpoint Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1499/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Application Shim was created to allow for backward compatibility of software\nas the operating system codebase changes over time. This Windows functionality\nhas been abused by attackers to stealthily gain persistence and arbitrary code\nexecution in legitimate Windows processes.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Application Shimming via Sdbinst",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
+    "risk_score": 21,
+    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.name:sdbinst.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:sdbinst.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:sdbinst.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
+    "risk_score": 73,
+    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over\nthe DNS protocol to circumvent firewalls, network security groups, and network\naccess lists while evading detection.",
+    "false_positives": [
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential DNS Tunneling via Iodine",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+    "references": [
+      "https://code.kryo.se/iodine/"
+    ],
+    "risk_score": 73,
+    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: (iodine or iodined) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(iodine or iodined) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux),\nwhich is a Linux kernel security feature that supports access control policies.\nAdversaries may disable security tools to avoid possible detection of their\ntools and activities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Disabling of SELinux",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+    "risk_score": 47,
+    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.name:setenforce and process.args:0",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by\nadversaries to unload a filter driver and evade defenses.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Evasion via Filter Manager",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe",
+    "risk_score": 21,
+    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.name:fltMC.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:fltMC.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:fltMC.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows contains accessibility features that may be launched with a key\ncombination before a user has logged in. An adversary can modify the way these\nprograms are launched to get a command prompt or backdoor without logging in to\nthe system.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Modification of Accessibility Binaries",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+    "risk_score": 21,
+    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1015",
+            "name": "Accessibility Features",
+            "reference": "https://attack.mitre.org/techniques/T1015/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1015",
+            "name": "Accessibility Features",
+            "reference": "https://attack.mitre.org/techniques/T1015/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "note": "Verify process details such as command line and hash to confirm this activity legitimacy.",
+    "query": "event.category:file AND event.type:change AND file.name:/.+A+\\.AAA/",
+    "risk_score": 21,
+    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a\nvulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Shell via Web Server",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+    "references": [
+      "https://pentestlab.blog/tag/web-shell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1100",
+            "name": "Web Shell",
+            "reference": "https://attack.mitre.org/techniques/T1100/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "pre_query": "process.name: bash and user.name: (apache or www or \"wwww-data\") and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.8.0",
+          "pre_query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\") and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with `cmd.exe`\ndescending from `PowerShell.exe`.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "PowerShell spawning Cmd",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe",
+    "risk_score": 21,
+    "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1086",
+            "name": "PowerShell",
+            "reference": "https://attack.mitre.org/techniques/T1086/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.parent.name:powershell.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.parent.name:powershell.exe and process.name:cmd.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft\nHTML Help system. Adversaries may conceal malicious code in a CHM file and\ndeliver it to a victim for execution. CHM content is loaded by the HTML Help\nexecutable program (`hh.exe`).",
+    "false_positives": [
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Activity via Compiled HTML File",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
+    "risk_score": 21,
+    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.name:hh.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:hh.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:hh.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to get information about running processes on a system.",
+    "false_positives": [
+      "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Discovery via Tasklist",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:tasklist.exe",
+    "risk_score": 21,
+    "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and process.name:tasklist.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:tasklist.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:tasklist.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+    "risk_score": 73,
+    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+    "risk_score": 47,
+    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Process Injection - Prevented - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another\nprocess. This technique is sometimes used to evade detection or elevate\nprivileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection by the Microsoft Build Engine",
+    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed.",
+    "false_positives": [
+      "Legit Application Crash with rare Werfault commandline value"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Potentially Masquerading as WerFault",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:WerFault.exe and not process.args:(((\"-u\" or \"-pss\") and \"-p\" and \"-s\") or (\"/h\" and \"/shared\") or (\"-k\" and \"-lcq\"))",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1235533224337641473",
+      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may describe network events of proxy use to the Internet. It\nincludes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments\nwill use an internal IP address for a proxy server. It can also be used to\ncircumvent network controls and detection mechanisms.",
+    "false_positives": [
+      "Some proxied applications may use these ports but this usually occurs in local\ntraffic using private IPs which this rule does not match. Proxies are widely\nused as a security technology but in enterprise environments this is usually\nlocal traffic which this rule does not match. If desired, internet proxy\nservices using these ports can be added to allowlists. Some screen recording\napplications may use these ports.\n\nProxy port activity involving an unusual source or destination may be more\nsuspicious. Some cloud environments may use this port when VPNs or direct\nconnects are not in use and cloud instances are accessed across the Internet.\nBecause these ports are in the ephemeral range, this rule may false under\ncertain conditions such as when a NATed web server replies to a client which has\nused a port in the range by coincidence. In this case, such servers can be\nexcluded if desired."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Proxy Port Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: (3128 or 8080 or 1080) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(1080 or 3128 or 8080) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the SysInternals tool `PsExec.exe` making a network\nconnection. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "PsExec Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:PsExec.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:PsExec.exe",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Public IP Reconnaissance Activity",
+    "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.",
+    "query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer",
+    "references": [
+      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+    ],
+    "risk_score": 21,
+    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RDP traffic from the\nInternet. RDP is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:3389 and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RDP traffic to the Internet.\nRDP is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RDP (Remote Desktop Protocol) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:3389 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RPC traffic from the\nInternet. RPC is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 73,
+    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 135 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:135 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RPC traffic to the Internet.\nRPC is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 73,
+    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 135 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:135 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Ransomware - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+    "risk_score": 99,
+    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Detected - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Detected - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Ransomware - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+    "risk_score": 73,
+    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Prevented - Elastic Endpoint"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+          "doc_text": "Formatting only",
+          "pre_name": "Ransomware - Prevented - Elastic Endpoint Security"
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These\ncan be byproducts of attempted or successful persistence, privilege escalation,\ndefense evasion, discovery, lateral movement, or collection.",
+    "false_positives": [
+      "Rare and unusual errors may indicate an impending service failure state. Rare\nand unusual user error activity can also be due to manual troubleshooting or\nreconfiguration attempts by insufficiently privileged users, bugs in cloud\nautomation scripts or workflows, or changes to IAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_error_code",
+    "name": "Rare AWS Error Code",
+    "note": "Alerts from this rule indicate a rare and unusual error code that is\nassociated with the response to an AWS API command or method call. Here are\nsome possible avenues of investigation:\n\n* Examine the history of the error. Has it manifested before? If the error,\nwhich is visible in the `aws.cloudtrail.error_code field`, manifested only very\nrecently, it might be related to recent changes in an automation module or\nscript.\n* Examine the request parameters. These may provide indications as to the\nnature of the task being performed when the error occurred. Is the error\nrelated to unsuccessful attempts to enumerate or access objects, data, or\nsecrets? If so, this can sometimes be a byproduct of discovery, privilege\nescalation, or lateral movement attempts.\n* Consider the user as identified in the `user.name` field. Is this activity\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote File Copy via TeamViewer",
+    "query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)",
+    "references": [
+      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
+    "references": [
+      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
+    ],
+    "risk_score": 47,
+    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote File Download via MpCmdRun",
+    "note": "Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or winlog.event_data.OriginalFileName:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
+    "references": [
+      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-f\" and \"-setremotelogin\" and on)",
+    "references": [
+      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+      "https://ss64.com/osx/systemsetup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "query": "event.category:process AND event.type:(start OR process_started) AND (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/ OR winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/) AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\\d{1,3}\\.[eE][xX][eE]/",
+    "risk_score": 47,
+    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+    "false_positives": [
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://www.justice.gov/opa/press-release/file/1084361/download"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of Windows file sharing (also\ncalled SMB or CIFS) traffic to the Internet. SMB is commonly used within\nnetworks to share files, printers, and other system resources amongst trusted\nsystems. It should almost never be directly exposed to the Internet, as it is\nfrequently targeted and exploited by threat actors as an initial access or back-\ndoor vector or for data exfiltration.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 73,
+    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: (139 or 445) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(139 or 445) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may indicate use of SMTP on TCP port 26. This port is\ncommonly used by several popular mail transfer agents to deconflict with the\ndefault SMTP port 25. This port has also been used by a malware family called\nBadPatch for command and control of Windows systems.",
+    "false_positives": [
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SMTP on Port 26/TCP",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+    "references": [
+      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
+      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:26",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may describe SMTP traffic from internal hosts to a host\nacross the Internet. In an enterprise network, there is typically a dedicated\ninternal host that performs this function. It is also frequently abused by\nthreat actors for command and control, or data exfiltration.",
+    "false_positives": [
+      "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SMTP to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: (25 or 465 or 587) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and\nPostgresql) across the Internet. Databases should almost never be directly\nexposed to the Internet, as they are frequently targeted by threat actors to\ngain initial access to network resources.",
+    "false_positives": [
+      "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SQL Traffic to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: (1433 or 1521 or 3336 or 5432) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(1433 or 1521 or 3336 or 5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of SSH traffic from the\nInternet. SSH is commonly used by system administrators to remotely control a\nsystem using the command line shell. If it is exposed to the Internet, it should\nbe done with strong security controls as it is frequently targeted and exploited\nby threat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SSH (Secure Shell) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 47,
+    "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port:22 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:22 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of SSH traffic to the Internet.\nSSH is commonly used by system administrators to remotely control a system using\nthe command line shell. If it is exposed to the Internet, it should be done with\nstrong security controls as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SSH (Secure Shell) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port:22 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Service Command Lateral Movement",
+    "query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n                               /* uncomment once in winlogbeat */\n     (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n                                                   /* case insensitive */\n      wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and\n      (process.args : \"create\" or\n       process.args : \"config\" or\n       process.args : \"failure\" or\n       process.args : \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+    "risk_score": 21,
+    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          },
+          {
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
+          },
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Setgid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
+    "risk_score": 21,
+    "rule_id": "3a86e085-094c-412d-97ff-2439731e59cb",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed OR process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Setuid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+    "risk_score": 21,
+    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A Socat process is running on a Linux host. Socat is often used as a persistence\nmechanism by exporting a reverse shell, or by serving a shell on a listening\nport. Socat is also sometimes used for lateral movement.",
+    "false_positives": [
+      "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Socat Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V",
+    "references": [
+      "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:socat and not process.args:\"-V\" and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:socat and not process.args:-V and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a significant spike in the rate of a particular\nerror in the CloudTrail messages. Spikes in error messages may accompany\nattempts at privilege escalation, lateral movement, or discovery.",
+    "false_positives": [
+      "Spikes in error message activity can also be due to bugs in cloud automation\nscripts or workflows, changes to cloud automation scripts or workflows,\nadoption of new services, changes in the way services are used, or changes to\nIAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "high_distinct_count_error_message",
+    "name": "Spike in AWS Error Messages",
+    "note": "Alerts from this rule indicate a large spike in the number of CloudTrail log\nmessages that contain a particular error message. The error message in question\nis associated with the response to an AWS API command or method call. Here are\nsome possible avenues of investigation:\n\n* Examine the history of the error. Has it manifested before? If the error,\nwhich is visible in the `aws.cloudtrail.error_message` field, manifested only\nvery recently, it might be related to recent changes in an automation module or\nscript.\n* Examine the request parameters. These may provide indications as to the\nnature of the task being performed when the error occurred. Is the error\nrelated to unsuccessful attempts to enumerate or access objects, data or\nsecrets? If so, this can sometimes be a byproduct of discovery, privilege\nescalation or lateral movement attempts.\n* Consider the user as identified by the `user.name` field. Is this activity\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Strace runs in a privileged context and can be used to escape restrictive\nenvironments by instantiating a shell in order to elevate privileges or move\nlaterally.",
+    "false_positives": [
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Strace Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+    "references": [
+      "https://en.wikipedia.org/wiki/Strace"
+    ],
+    "risk_score": 21,
+    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: strace and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:strace and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Sudoers File Modification",
+    "query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+    "risk_score": 21,
+    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1169",
+            "name": "Sudo",
+            "reference": "https://attack.mitre.org/techniques/T1169/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.module:file_integrity and event.action:updated and file.path:/etc/sudoers",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious .NET code execution. connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious .NET Code Compilation",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(csc.exe or vbc.exe) and process.parent.name:(wscript.exe or mshta.exe or wscript.exe or wmic.exe or svchost.exe or rundll32.exe or cmstp.exe or regsvr32.exe)",
+    "risk_score": 47,
+    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when a user reports suspicious activity for their Okta\naccount. These events should be investigated, as they can help security teams\nidentify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Activity Reported by Okta User",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Endpoint Security Parent Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(esensor.exe or \"elastic-endpoint.exe\" or \"elastic-agent.exe\") and not process.parent.executable:\"C:\\Windows\\System32\\services.exe\"",
+    "risk_score": 47,
+    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office\napplications (Word, PowerPoint, Excel). These child processes are often launched\nduring exploitation of Office applications or from documents with malicious\nmacros.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious MS Office Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+    "risk_score": 21,
+    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child\nprocesses are often associated with spear phishing activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious MS Outlook Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+    "risk_score": 21,
+    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Managed Code Hosting Process",
+    "query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)",
+    "references": [
+      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of PDF reader applications. These child\nprocesses are often launched via exploitation of PDF applications or social\nengineering.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PDF Reader Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+    "risk_score": 21,
+    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a PowerShell script with unusual data\ncharacteristics, such as obfuscation, that may be a characteristic of malicious\nPowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_script",
+    "name": "Suspicious Powershell Script",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
+    "query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)",
+    "references": [
+      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
+    ],
+    "risk_score": 74,
+    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)",
+    "references": [
+      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
+      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    ],
+    "risk_score": 74,
+    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe)",
+    "risk_score": 47,
+    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Process from Conhost",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe",
+    "references": [
+      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Suspicious WMIC XSL Script Execution",
+    "query": "sequence by process.entity_id with maxspan=2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n   wildcard(process.args, \"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not wildcard(process.command_line, \"* /format:table *\")]\n[library where event.type == \"start\" and file.name in (\"jscript.dll\", \"vbscript.dll\")]\n",
+    "risk_score": 21,
+    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows Error Reporting Debugger"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious WerFault Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)",
+    "references": [
+      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
+    "false_positives": [
+      "New Zoom Executable"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Zoom Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:Zoom.exe and not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)",
+    "risk_score": 47,
+    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent-child process relationship with cmd.exe\ndescending from `svchost.exe`.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Svchost spawning Cmd",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+    "risk_score": 21,
+    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege\nescalation opportunity. Malware or penetration testers may run a shell as a\nservice to gain SYSTEM permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "System Shells via Services",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+    "risk_score": 47,
+    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you\nare running software like this on the Internet, you should consider placing it\nbehind a reverse proxy.",
+    "false_positives": [
+      "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "TCP Port 8000 Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: 8000 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of Telnet traffic. Telnet is\ncommonly used by system administrators to remotely control older or embedded\nsystems using the command line shell. It should almost never be directly exposed\nto the Internet, as it is frequently targeted and exploited by threat actors as\nan initial access or back-door vector. As a plain-text protocol, it may also\nexpose usernames and passwords to anyone capable of observing the traffic.",
+    "false_positives": [
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Telnet Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+    "risk_score": 47,
+    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:23",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when Okta ThreatInsight identifies a request from a malicious\nIP address. Investigating requests from IP addresses identified as malicious by\nOkta ThreatInsight can help security teams monitor for and respond to\ncredential-based attacks against their organization, such as brute-force and\npassword-spraying attacks.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Threat Detected by Okta ThreatInsight",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:security.threat.detected",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "event.module:okta and event.dataset:okta.system and event.action:security.threat.detected",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of Tor traffic to the Internet.\nTor is a network protocol that sends traffic through a series of encrypted\ntunnels used to conceal a user's location and usage. Tor may be used by threat\nactors as an alternate communication pathway to conceal the actor's identity and\navoid detection.",
+    "false_positives": [
+      "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Tor Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1188",
+            "name": "Multi-hop Proxy",
+            "reference": "https://attack.mitre.org/techniques/T1188/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and destination.port: (9001 or 9030) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies possibly suspicious activity using a trusted Windows developer\nutility program.",
+    "false_positives": [
+      "These programs may be used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Trusted Developer Application Usage",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.code:1 and process.name:(MSBuild.exe or msxsl.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(/autoclean or /AUTOCLEAN) and process.parent.name:svchost.exe and not process.executable:(\"C:\\Windows\\System32\\cleanmgr.exe\" or \"C:\\Windows\\SysWOW64\\cleanmgr.exe\")",
+    "risk_score": 47,
+    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1088",
+            "name": "Bypass User Account Control",
+            "reference": "https://attack.mitre.org/techniques/T1088/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an AWS API command that, while not inherently\nsuspicious or abnormal, is being made by a user that does not normally use the\ncommand. This can be the result of compromised credentials or keys as someone\nuses a valid account to persist, move laterally, or exfiltrate data.",
+    "false_positives": [
+      "New or unusual user command activity can be due to manual troubleshooting or\nreconfiguration, changes in cloud automation scripts or workflows, adoption of\nnew services, or changes in the way services are used."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_method_for_a_username",
+    "name": "Unusual AWS Command for a User",
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the calling IAM user. Here are some possible avenues of\ninvestigation:\n\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action field`, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Child Process from a System Virtual Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")",
+    "risk_score": 73,
+    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Child Process of dns.exe",
+    "note": "Detection alerts from this rule indicate potential suspicious child processes\nspawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are\nsome possible avenues of investigation:\n\n* Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n* Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n* If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n* Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
+    "query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Child Processes of RunDLL32",
+    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n                                    /* uncomment once in winlogbeat */\n     (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n     process.args_count < 2\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1085",
+            "name": "Rundll32",
+            "reference": "https://attack.mitre.org/techniques/T1085/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently\nsuspicious or abnormal, is sourcing from a geolocation (city) that is unusual\nfor the command. This can be the result of compromised credentials or keys\nbeing used by a threat actor in a different location from the authorized users.",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual\ntroubleshooting or reconfiguration, changes in cloud automation scripts or\nworkflows, adoption of new services, expansion into new regions, increased\nadoption of work from home policies, or users who travel frequently."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_method_for_a_city",
+    "name": "Unusual City For an AWS Command",
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the geolocation of the source IP address. Here are some\npossible avenues of investigation:\n\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action` field, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently\nsuspicious or abnormal, is sourcing from a geolocation (country) that is\nunusual for the command. This can be the result of compromised credentials or\nkeys being used by a threat actor in a different location from the authorized\nusers.",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual\ntroubleshooting or reconfiguration, changes in cloud automation scripts or\nworkflows, adoption of new services, expansion into new regions, increased\nadoption of work from home policies, or users who travel frequently."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_method_for_a_country",
+    "name": "Unusual Country For an AWS Command",
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the geolocation of the source IP address. Here are some\npossible avenues of investigation:\n\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action` field, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2,
+    "last_update": "7.10.0",
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "added": "7.9.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual DNS query that indicates\nnetwork activity with unusual DNS domains. This can be due to initial access,\npersistence, command-and-control, or exfiltration activity. For example, when a\nuser clicks on a link in a phishing email or opens a malicious document, a\nrequest may be sent to download and run a payload from an uncommon domain. When\nmalware is already running, it may send requests to an uncommon DNS domain the\nmalware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_dns_question",
+    "name": "Unusual DNS Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)",
+    "risk_score": 73,
+    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1211",
+            "name": "Exploitation for Defense Evasion",
+            "reference": "https://attack.mitre.org/techniques/T1211/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual File Modification by dns.exe",
+    "note": "Detection alerts from this rule indicate potential unusual/abnormal file writes\nfrom the DNS Server service process (`dns.exe`) after exploitation from\nCVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of\ninvestigation:\n\n* Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. \n* Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
+    "query": "event.category:file and process.name:dns.exe and not file.name:dns.log",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Linux processes that do not usually use the network but have\nunexpected network activity, which can indicate command-and-control, lateral\nmovement, persistence, or data exfiltration activity. A process with unusual\nnetwork activity can denote process exploitation or injection, where the process\nis used to run persistence mechanisms that allow a malicious actor remote access\nor control of the host, data exfiltration, and execution of unauthorized network\napplications.",
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+    "name": "Unusual Linux Network Activity",
+    "note": "Alerts from this rule indicate the presence of network activity from a Linux\nprocess for which network activity is rare and unusual.  Here are some possible\navenues of investigation:\n\n* Consider the IP addresses and ports. Are these used by normal but infrequent\nnetwork workflows? Are they expected or unexpected?\n* If the destination IP address is remote or external, does it associate with\nan expected domain, organization or geography?\n+\nNOTE: Avoid interacting directly with suspected malicious IP addresses. \n\n* Consider the user as identified by the username field. Is this network\nactivity part of an expected workflow for the user who ran the program?\n* Examine the history of execution. If this process manifested only\nvery recently, it might be part of a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business or maintenance process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Network Connections Discovery\n** ID: T1049\n** Reference URL: https://attack.mitre.org/techniques/T1049/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_network_connection_discovery",
+    "name": "Unusual Linux Network Connection Discovery",
+    "risk_score": 21,
+    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1049",
+            "name": "System Network Connections Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1049/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual destination port activity that can indicate command-and-\ncontrol, persistence mechanism, or data exfiltration activity. Rarely used\ndestination port activity is generally unusual in Linux fleets, and can indicate\nunauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs",
+    "name": "Unusual Linux Network Port Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual listening ports on Linux instances that can indicate\nexecution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_service",
+    "name": "Unusual Linux Network Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_metadata_process",
+    "name": "Unusual Linux Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: Process Discovery\n** ID: T1057\n** Reference URL: https://attack.mitre.org/techniques/T1057/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_process_discovery",
+    "name": "Unusual Linux Process Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Information Discovery\n** ID: T1082\n** Reference URL: https://attack.mitre.org/techniques/T1082/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_information_discovery",
+    "name": "Unusual Linux System Information Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Network Configuration Discovery\n** ID: T1016\n** Reference URL: https://attack.mitre.org/techniques/T1016/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_network_configuration_discovery",
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "risk_score": 21,
+    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Owner/User Discovery\n** ID: T1033\n** Reference URL: https://attack.mitre.org/techniques/T1033/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_user_discovery",
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_metadata_user",
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally\nactive, which can indicate unauthorized changes, activity by unauthorized users,\nlateral movement, or compromised credentials. In many organizations, new\nusernames are not often created apart from specific types of system activities,\nsuch as creating new accounts for new employees. These user accounts quickly\nbecome active and routine. Events from rarely used usernames can point to\nsuspicious activity. Additionally, automated Linux fleets tend to see activity\nfrom rarely used usernames only when personnel log in to make authorized or\nunauthorized changes, or threat actors have acquired credentials and log in for\nmalicious purposes. Unusual usernames can also indicate pivoting, where\ncompromised credentials are used to try and move laterally from one host to\nanother.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_user_name_ecs",
+    "name": "Unusual Linux Username",
+    "note": "Alerts from this rule indicate activity for a Linux user name that is rare and\nunusual. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host? Could\nthis be related to troubleshooting or debugging activity by a developer or site\nreliability engineer?\n* Examine the history of user activity. If this user manifested only very\nrecently, it might be a service account for a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks that the\nuser is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual web URL request from a Linux host,\nwhich can indicate malware delivery and execution. Wget and cURL are commonly\nused by Linux programs to download code and data. Most of the time, their usage\nis entirely normal. Generally, because they use a list of URLs, they repeatedly\ndownload from the same locations. However, Wget and cURL are sometimes used to\ndeliver Linux exploit payloads, and threat actors use these tools to download\nadditional software and code. For these reasons, unusual URLs can indicate\nunauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
+    "name": "Unusual Linux Web Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "suspicious_login_activity_ecs",
+    "name": "Unusual Login Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of `rundll32.exe` making outbound network\nconnections. This may indicate adversarial activity and may identify malicious\nDLLs.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Network Connection via RunDLL32",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"rundll32.exe\" and event.type == \"start\"]\n  [network where process.name : \"rundll32.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\",  \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
+    "risk_score": 21,
+    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1085",
+            "name": "Rundll32",
+            "reference": "https://attack.mitre.org/techniques/T1085/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.8.0",
+          "pre_query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 6,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual network destination domain name. This\ncan be due to initial access, persistence, command-and-control, or exfiltration\nactivity. For example, when a user clicks on a link in a phishing email or opens\na malicious document, a request may be sent to download and run a payload from\nan uncommon web server name. When malware is already running, it may send\nrequests to an uncommon DNS domain the malware uses for command-and-control\ncommunication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_server_domain",
+    "name": "Unusual Network Destination Domain Name",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Parent Process for cmd.exe",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)",
+    "risk_score": 47,
+    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows programs run from unexpected parent processes. This could\nindicate masquerading or other strange activity on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Parent-Child Relationship",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or process.name:SearchIndexer.exe and not process.parent.name:services.exe or process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+    "risk_score": 47,
+    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1093",
+            "name": "Process Hollowing",
+            "reference": "https://attack.mitre.org/techniques/T1093/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by\nadversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Process Execution - Temp",
+    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+    "risk_score": 47,
+    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.working_directory: /tmp and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.working_directory:/tmp and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can\nindicate execution of unauthorized services, malware, or persistence mechanisms.\nProcesses are considered rare when they only run occasionally as compared with\nother processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_process_by_host_linux_ecs",
+    "name": "Unusual Process For a Linux Host",
+    "note": "Alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may\nprovide indications as to the source of the program or the nature of the tasks\nit is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can\nindicate execution of unauthorized services, malware, or persistence mechanisms.\nProcesses are considered rare when they only run occasionally as compared with\nother processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_process_by_host_windows_ecs",
+    "name": "Unusual Process For a Windows Host",
+    "note": "Alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process metadata like the values of the Company, Description and\nProduct fields which may indicate whether the program is associated with an\nexpected software vendor or package.\n* Examine arguments and working directory. These may provide indications as to\nthe source of the program or the nature of the tasks it is performing.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may\nindicate adversarial activity as these applications are often leveraged by\nadversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Process Network Connection",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:network and event.type:connection and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:network and event.type:connection and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Defense Evasion\n** ID: TA0005\n** Reference URL: https://attack.mitre.org/tactics/TA0005/\n* Technique:\n** Name: Abuse Elevation Control Mechanism\n** ID: T1548\n** Reference URL: https://attack.mitre.org/techniques/T1548/\n\n\n* Tactic:\n** Name: Privilege Escalation\n** ID: TA0004\n** Reference URL: https://attack.mitre.org/tactics/TA0004/\n* Technique:\n** Name: Abuse Elevation Control Mechanism\n** ID: T1548\n** Reference URL: https://attack.mitre.org/techniques/T1548/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_sudo_user",
+    "name": "Unusual Sudo Activity",
+    "risk_score": 21,
+    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual\nweb browsing activity. This can be due to initial access, persistence, command-\nand-control, or exfiltration activity. For example, in a strategic web\ncompromise or watering hole attack, when a trusted website is compromised to\ntarget a particular sector or organization, targeted users may receive emails\nwith uncommon URLs for trusted websites. These URLs can be used to download and\nrun a payload. When malware is already running, it may send requests to uncommon\nURLs on trusted websites the malware uses for command-and-control communication.\nWhen rare URLs are observed being requested for a local web server by a remote\nsource, these can be due to web scanning, enumeration or attack traffic, or they\ncan be due to bots and web scrapers which are part of common Internet background\ntraffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_urls",
+    "name": "Unusual Web Request",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual user agent indicating web\nbrowsing activity by an unusual process other than a web browser. This can be\ndue to persistence, command-and-control, or exfiltration activity. Uncommon user\nagents coming from remote sources to local destinations are often the result of\nscanners, bots, and web scrapers, which are part of common Internet background\ntraffic. Much of this is noise, but more targeted attacks on websites using\ntools like Burp or SQLmap can sometimes be discovered by spotting uncommon user\nagents. Uncommon user agents in traffic from local sources to remote\ndestinations can be any number of things, including harmless programs like\nweather monitoring or stock-trading programs. However, uncommon user agents from\nlocal sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_user_agent",
+    "name": "Unusual Web User Agent",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows processes that do not usually use the network but have\nunexpected network activity, which can indicate command-and-control, lateral\nmovement, persistence, or data exfiltration activity. A process with unusual\nnetwork activity can denote process exploitation or injection, where the process\nis used to run persistence mechanisms that allow a malicious actor remote access\nor control of the host, data exfiltration, and execution of unauthorized network\napplications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_network_activity_ecs",
+    "name": "Unusual Windows Network Activity",
+    "note": "Alerts from this rule indicate the presence of network activity from a Windows\nprocess for which network activity is very unusual.  Here are some possible\navenues of investigation:\n\n* Consider the IP addresses, protocol and ports. Are these used by normal but\ninfrequent network workflows? Are they expected or unexpected?\n* If the destination IP address is remote or external, does it associate with\nan expected domain, organization or geography? Note: avoid interacting directly\nwith suspected malicious IP addresses.\n* Consider the user as identified by the username field. Is this network\nactivity part of an expected workflow for the user who ran the program?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes started from atypical folders in the file system, which\nmay indicate malware execution or persistence mechanisms. In corporate Windows\nenvironments, software installation is centrally managed and it is unusual for\nprograms to be executed from user or temporary directories. Processes executed\nfrom these locations can denote that a user downloaded software directly from\nthe Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_path_activity_ecs",
+    "name": "Unusual Windows Path Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_metadata_process",
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP)\nusername, which can indicate account takeover or credentialed persistence using\ncompromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual\nusernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
+    "name": "Unusual Windows Remote User",
+    "note": "Alerts from this rule indicate activity for a rare and unusual Windows RDP\n(remote desktop) user. Here are some possible avenues of investigation: \n\n* Consider the user as identified by the username field. Is the user part of a\ngroup who normally logs in to Windows hosts using RDP (remote desktop\nprotocol)? Is this logon activity part of an expected workflow for the user? \n* Consider the source of the login. If the source is remote, could this be\nrelated to occasional troubleshooting or support activity by a vendor or an\nemployee working remotely?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual Windows service, This can indicate\nexecution of unauthorized services, malware, or persistence mechanisms. In\ncorporate Windows environments, hosts do not generally run many rare or unique\nservices. This job helps detect malware and persistence mechanisms that have\nbeen installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_service",
+    "name": "Unusual Windows Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_metadata_user",
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual user context switch, using the\n`runas` command or similar techniques, which can indicate account takeover or\nprivilege escalation using compromised accounts. Privilege elevation using\ntools like `runas` are more commonly used by domain and network administrators\nthan by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_user_runas_event",
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally\nactive, which can indicate unauthorized changes, activity by unauthorized users,\nlateral movement, or compromised credentials. In many organizations, new\nusernames are not often created apart from specific types of system activities,\nsuch as creating new accounts for new employees. These user accounts quickly\nbecome active and routine. Events from rarely used usernames can point to\nsuspicious activity. Unusual usernames can also indicate pivoting, where\ncompromised credentials are used to try and move laterally from one host to\nanother.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_user_name_ecs",
+    "name": "Unusual Windows Username",
+    "note": "Alerts from this rule indicate activity for a Windows user name that is rare\nand unusual. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host? Could\nthis be related to occasional troubleshooting or support activity?\n* Examine the history of user activity. If this user manifested only very\nrecently, it might be a service account for a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may\nprovide indications as to the source of the program or the nature of the tasks\nthat the user is performing.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "N/A",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create new local users. This is sometimes done by\nattackers to increase access to a system or domain.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Account Creation",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+    "risk_score": 21,
+    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Added as Owner for Azure Application",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:Success",
+    "risk_score": 21,
+    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Added as Owner for Azure Service Principal",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
+    ],
+    "risk_score": 21,
+    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The `whoami` application was executed on a Linux host. This is often used by\ntools and persistence mechanisms to test for privileged access.",
+    "false_positives": [
+      "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Discovery via Whoami",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami",
+    "risk_score": 21,
+    "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name: whoami and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:whoami and event.action:executed",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:whoami",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:whoami",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of VNC traffic from the\nInternet. VNC is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 73,
+    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of VNC traffic to the Internet.\nVNC is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.6.1",
+          "doc_text": "Removed auditbeat-\\*, packetbeat-*, and winlogbeat-* from the rule indices."
+        },
+        {
+          "version": 3,
+          "updated": "7.7.0",
+          "pre_query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.0",
+          "pre_query": "network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Virtual Machine Fingerprinting",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+    "risk_score": 73,
+    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.action:executed and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.8.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `vssadmin.exe` for shadow copy deletion on endpoints. This\ncommonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Volume Shadow Copy Deletion via VssAdmin",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+    "risk_score": 73,
+    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `wmic.exe` for shadow copy deletion on endpoints. This\ncommonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+    "risk_score": 73,
+    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"WMIC.exe\" and process.args:(\"shadowcopy\" and \"delete\")",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application server contained no identifying user agent\nstring.",
+    "false_positives": [
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "exists": {
+          "field": "user_agent.original"
+        },
+        "meta": {
+          "disabled": false,
+          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "key": "user_agent.original",
+          "negate": true,
+          "type": "exists",
+          "value": "exists"
+        }
+      }
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "query": "url.path:*",
+    "references": [
+      "https://en.wikipedia.org/wiki/User_agent"
+    ],
+    "risk_score": 47,
+    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "url.path: *",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "url.path:*",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "url.path:*",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A POST request to web application returned a 403 response, which indicates the\nweb application declined to process the request because the action requested was\nnot allowed.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "query": "http.response.status_code:403 and http.request.method:post",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_403"
+    ],
+    "risk_score": 47,
+    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "http.response.status_code:403 and http.request.method:post",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to web application returned a 405 response which indicates the web\napplication declined to process the request because the HTTP method is not\nallowed for the resource.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "query": "http.response.status_code:405",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_405"
+    ],
+    "risk_score": 47,
+    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "http.response.status_code:405",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This is an example of how to detect an unwanted web client user agent. This\nsearch matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool\nfor testing web applications for SQL injection vulnerabilities.",
+    "false_positives": [
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+    "references": [
+      "http://sqlmap.org/"
+    ],
+    "risk_score": 47,
+    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `whoami.exe` which displays user, group, and privileges\ninformation for the user who is currently logged on to the local system.",
+    "false_positives": [
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Whoami Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe",
+    "risk_score": 21,
+    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "process.name:whoami.exe and event.code:1",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "process.name:whoami.exe and event.code:1",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 4,
+          "updated": "7.10.0",
+          "pre_query": "process.name:whoami.exe and event.code:1",
+          "doc_text": "Updated query.",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (`Crypt32.dll`)\nvalidates Elliptic Curve Cryptography (ECC) certificates. An attacker could\nexploit the vulnerability by using a spoofed code-signing certificate to sign a\nmalicious executable, making it appear the file was from a trusted, legitimate\nsource.",
+    "index": [
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+    "risk_score": 21,
+    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1116",
+            "name": "Code Signing",
+            "reference": "https://attack.mitre.org/techniques/T1116/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.9.0",
+          "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+          "doc_text": "Formatting only"
+        },
+        {
+          "version": 3,
+          "updated": "7.10.0",
+          "pre_query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.7.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a PowerShell process launched by either `cscript.exe` or\n`wscript.exe`. Observing Windows scripting processes executing a PowerShell\nscript, may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Windows Script Executing PowerShell",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+    "risk_score": 21,
+    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5,
+    "changelog": {
+      "changes": [
+        {
+          "version": 2,
+          "updated": "7.7.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 3,
+          "updated": "7.9.0",
+          "pre_query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Updated query."
+        },
+        {
+          "version": 4,
+          "updated": "7.9.1",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        },
+        {
+          "version": 5,
+          "updated": "7.10.0",
+          "pre_query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+          "doc_text": "Formatting only",
+          "pre_name": null
+        }
+      ]
+    },
+    "last_update": "7.10.0",
+    "added": "7.6.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Windows Suspicious Script Object Execution",
+    "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan=2m\n  [process where event.type in (\"start\", \"process_started\") and\n     /* uncomment once in winlogbeat */\n     /* process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and */\n     not (process.name : \"cscript.exe\" or\n          process.name : \"iexplore.exe\" or\n          process.name : \"MicrosoftEdge.exe\" or\n          process.name : \"msiexec.exe\" or\n          process.name : \"smartscreen.exe\" or\n          process.name : \"taskhostw.exe\" or\n          process.name : \"w3wp.exe\" or\n          process.name : \"wscript.exe\")]\n  [library where event.type == \"start\" and file.name : \"scrobj.dll\"]\n",
+    "risk_score": 21,
+    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Zoom Meeting with no Passcode",
+    "note": "This rule requires the Zoom Filebeat module.",
+    "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*",
+    "references": [
+      "https://blog.zoom.us/a-message-to-our-users/",
+      "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"
+    ],
+    "risk_score": 47,
+    "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Application",
+      "Communication",
+      "Zoom",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1,
+    "last_update": "7.10.0",
+    "added": "7.10.0"
+  }
+]
\ No newline at end of file
diff --git a/prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-7.10.0.json b/prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-7.10.0.json
new file mode 100644
index 0000000000..79b763eb67
--- /dev/null
+++ b/prebuilt-rules-scripts/diff-files/gen-files/json-from-docs-7.10.0.json
@@ -0,0 +1,1991 @@
+[
+  {
+    "name": "AWS Access Secret in Secrets Manager",
+    "description": "An adversary may attempt to access the secrets in AWS Secrets Manager to steal\ncertificates, credentials, or other sensitive material.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be using\nGetSecretString API for the specified SecretId. If a known behavior is causing\nfalse positives, it can be excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS CloudTrail Log Created",
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for\ndelivery of log data.",
+    "false_positives": [
+      "Trail creations may be made by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Trail creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS CloudTrail Log Deleted",
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in\nan attempt to evade defenses.",
+    "false_positives": [
+      "Trail deletions may be made by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Trail deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS CloudTrail Log Suspended",
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for\nthe specified trail. An adversary may suspend trails in an attempt to evade\ndefenses.",
+    "false_positives": [
+      "Suspending the recording of a trail may be done by a system or network\nadministrator. Verify whether the user identity, user agent, and/or hostname\nshould be making changes in your environment. Trail suspensions from unfamiliar\nusers or hosts should be investigated. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS CloudTrail Log Updated",
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of\nlog files.",
+    "false_positives": [
+      "Trail updates may be made by a system or network administrator. Verify whether\nthe user identity, user agent, and/or hostname should be making changes in your\nenvironment. Trail updates from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS CloudWatch Alarm Deletion",
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete\nalarms in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Alarm deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS CloudWatch Log Group Deletion",
+    "description": "Identifies the deletion of a specific AWS CloudWatch log group. When a log\ngroup is deleted, all the archived log events associated with the log group are\nalso permanently deleted.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Log group deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently\ndeletes all associated archived log events with the stream.",
+    "false_positives": [
+      "A log stream may be deleted by a system administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Log stream deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS Config Service Tampering",
+    "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may\ntamper with Config rules in order to reduce visibility into the security\nposture of an account and/or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may make changes to the\nConfig rules in order to align with local security policies and\nrequirements. Automation, orchestration, and security tools may also make\nchanges to the Config service, when they are used to automate setup or\nconfiguration of AWS accounts. Other types of user or service contexts do not\ncommonly make changes to this service."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS Configuration Recorder Stopped",
+    "description": "Identifies an AWS configuration change to stop recording a designated set of\nresources.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Recording changes from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS EC2 Encryption Disabled",
+    "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption\nin the current region. Disabling default encryption does not change the\nencryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Disabling encryption by unfamiliar users or hosts should\nbe investigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS EC2 Flow Log Deletion",
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud\n(EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Flow log deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS EC2 Network Access Control List Creation",
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access\ncontrol list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACLs may be created by a network administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Network ACL creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access\ncontrol list (ACL) or one of its ingress/egress entries.",
+    "false_positives": [
+      "Network ACLs may be deleted by a network administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Network ACL deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS EC2 Snapshot Activity",
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are\nsometimes shared by threat actors in order to exfiltrate bulk data from an EC2\nfleet. If the permissions were modified, verify the snapshot was not shared\nwith an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account\nbelonging to the same organization. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS Execution via System Manager",
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution\nmethods such as RunShellScript, RunPowerShellScript, and alike can be abused by\nan authenticated attacker to install a backdoor or to interact with a\ncompromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Suspicious commands from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS GuardDuty Detector Deletion",
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion,\nGuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator.\nVerify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Detector deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS IAM Assume Role Policy Update",
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may\nattempt to modify the AssumeRolePolicy of a misconfigured role in order to gain\nthe privileges of that role.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Policy updates from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access\nManagement (IAM) role. IAM roles are used to delegate access to users or\nservices. An adversary may attempt to enumerate IAM roles in order to determine\nif a role exists before attempting to assume or hijack the discovered role.",
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS IAM Deactivation of MFA Device",
+    "description": "Identifies the deactivation of a specific multi-factor authentication (MFA)\ndevice and removes its association with the user name for which it was\noriginally enabled. In AWS Identity and Access Management (IAM), a device must\nbe deactivated before it can be deleted.",
+    "false_positives": [
+      "A MFA device may be deactivated by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. MFA device deactivations from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS IAM Group Creation",
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM).\nGroups specify permissions for multiple users. All users in a group\nautomatically have the permissions that are assigned to the group.",
+    "false_positives": [
+      "A group may be created by a system or network administrator. Verify whether the\nuser identity, user agent, and/or hostname should be making changes in your\nenvironment. Group creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS IAM Group Deletion",
+    "description": "Identifies the deletion of a specific AWS Identity and Access Management (IAM)\nresource group. Deleting a resource group does not delete resources that are\nmembers of the group, only the group structure.",
+    "false_positives": [
+      "A resource group may be deleted by a system administrator. Verify whether the\nuser identity, user agent, and/or hostname should be making changes in your\nenvironment. Resource group deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS IAM Password Recovery Requested",
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain\nunauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be\nrequesting changes in your environment. Password reset attempts from unfamiliar\nusers should be investigated. If a known behavior is causing false positives,\nit can be excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS IAM User Addition to Group",
+    "description": "Identifies the addition of a user to a specific group in AWS Identity and\nAccess Management (IAM).",
+    "false_positives": [
+      "Adding users to a specific group may be done by a system or network\nadministrator. Verify whether the user identity, user agent, and/or hostname\nshould be making changes in your environment. User additions from unfamiliar\nusers or hosts should be investigated. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS Management Console Root Login",
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks,\nincluding administrative tasks. Verify whether the IP address, location, and/or\nhostname should be logging in as root in your environment. Unfamiliar root\nlogins should be investigated immediately. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS RDS Cluster Creation",
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS)\nAurora DB cluster or global database spread across multiple regions.",
+    "false_positives": [
+      "Valid clusters may be created by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Cluster creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS RDS Cluster Deletion",
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora\ndatabase cluster or global database cluster.",
+    "false_positives": [
+      "Clusters may be deleted by a system administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Cluster deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
+    "false_positives": [
+      "Valid clusters or instances may be stopped by a system administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Cluster or instance stoppages from unfamiliar users or\nhosts should be investigated. If a known behavior is causing false positives,\nit can be excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS Root Login Without MFA",
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor\nauthentication (MFA). Amazon AWS best practices indicate that the root user\nshould be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow root-user logins without MFA, however this is not\nconsidered best practice by AWS and increases the risk of compromised\ncredentials."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket\nconfiguration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Bucket component deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS WAF Access Control List Deletion",
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF)\naccess control list.",
+    "false_positives": [
+      "Firewall ACLs may be deleted by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Web ACL deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "description": "Identifies the deletion of a specific AWS Web Application Firewall (WAF) rule\nor rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator.\nVerify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Rule deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "note": "The AWS Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Abnormally Large DNS Response",
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
+    "false_positives": [
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+    ],
+    "note": "Detection alerts from this rule indicate an attempt was made to exploit\nCVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS\nserver. Here are some possible avenues of investigation:\n\n* Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n* Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n* Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n* Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment."
+  },
+  {
+    "name": "Adding Hidden File Attribute via Attrib",
+    "description": "Adversaries can add the `hidden` attribute to files to hide them from the user\nin an attempt to evade detection."
+  },
+  {
+    "name": "Administrator Privileges Assigned to Okta Group",
+    "description": "An adversary may attempt to assign administrator privileges to an Okta group in\norder to assign additional permissions to compromised user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if\nadministrator privileges are regularly assigned to Okta groups in your\norganization."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Adobe Hijack Persistence",
+    "description": "Detects the creation of an executable file or files that will be automatically\nrun by Acrobat Reader when it starts."
+  },
+  {
+    "name": "Adversary Behavior - Detected - Endpoint Security",
+    "description": "Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Anomalous Kernel Module Activity",
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Persistence\n** ID: TA0003\n** Reference URL: https://attack.mitre.org/tactics/TA0003/\n* Technique:\n** Name: Kernel Modules and Extensions\n** ID: T1215\n** Reference URL: https://attack.mitre.org/techniques/T1215/"
+    ]
+  },
+  {
+    "name": "Anomalous Linux Compiler Activity",
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
+    "false_positives": [
+      "Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue."
+    ]
+  },
+  {
+    "name": "Anomalous Process For a Linux Population",
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet\nor network. This reduces the detection of false positives since automated\nmaintenance processes usually only run occasionally on a single machine but are\ncommon to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "note": "Alerts from this rule indicate the presence of a Linux process that is rare\nand unusual for all of the monitored Linux hosts for which Auditbeat data is\navailable. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming."
+  },
+  {
+    "name": "Anomalous Process For a Windows Population",
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or\nnetwork. This reduces the detection of false positives since automated\nmaintenance processes usually only run occasionally on a single machine but are\ncommon to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "note": "Alerts from this rule indicate the presence of a Windows process that is rare\nand unusual for all of the Windows hosts for which Winlogbeat data is\navailable. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n* Examine the process metadata like the values of the Company, Description and\nProduct fields, which may indicate whether the program is associated with an\nexpected software vendor or package.\n* Examine arguments and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.\n* Consider the same for the parent process. If the parent process is\na legitimate system utility or service, this could be related to software\nupdates or system management. If the parent process is something user-facing\nlike an Office application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools."
+  },
+  {
+    "name": "Anomalous Windows Process Creation",
+    "description": "Identifies unusual parent-child process relationships that can indicate malware\nexecution or persistence mechanisms. Malicious scripts often call on other\napplications and processes as part of their exploit payload. For example, when a\nmalicious Office document runs scripts as part of an exploit payload, Excel or\nWord may start a script interpreter process, which, in turn, runs a script that\ndownloads and executes malware. Another common scenario is Outlook running an\nunusual process when malware is downloaded in an email. Monitoring and\nidentifying anomalous process relationships is a method of detecting new and\nemerging malware that is not yet recognized by anti-virus scanners.",
+    "false_positives": [
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ]
+  },
+  {
+    "name": "Attempt to Create Okta API Token",
+    "description": "An adversary may create an Okta API token to maintain access to an\norganization's network while they work to achieve their objectives. An attacker\nmay abuse an API token to execute techniques such as creating user accounts, or\ndisabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Deactivate MFA for Okta User Account",
+    "description": "An adversary may deactivate multi-factor authentication (MFA) for an Okta user\naccount in order to weaken the authentication requirements for the account.",
+    "false_positives": [
+      "If the behavior of deactivating MFA for Okta user accounts is expected,\nconsider adding exceptions to this rule to filter false positives."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Deactivate Okta MFA Rule",
+    "description": "An adversary may attempt to deactivate an Okta multi-factor authentication\n(MFA) rule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA\nrules are regularly deactivated in your organization."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Deactivate Okta Policy",
+    "description": "An adversary may attempt to deactivate an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\ndeactivate an Okta multi-factor authentication (MFA) policy in order to weaken\nthe authentication requirements for user accounts.",
+    "false_positives": [
+      "If the behavior of deactivating Okta policies is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Delete Okta Policy",
+    "description": "An adversary may attempt to delete an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\ndelete an Okta multi-factor authentication (MFA) policy in order to weaken the\nauthentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta\npolicies are regularly deleted in your organization."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Disable IPTables or Firewall",
+    "description": "Identifies attempts to disable ip tables or a firewall service, a technique\nadversaries can use to modify the network traffic hosts are allowed to send and\nreceive."
+  },
+  {
+    "name": "Attempt to Disable Syslog Service",
+    "description": "Identifies attempts to disable the `syslog` service, a technique adversaries can\nuse to disrupt event logging and evade detection by security controls."
+  },
+  {
+    "name": "Attempt to Modify Okta MFA Rule",
+    "description": "An adversary may attempt to modify an Okta multi-factor authentication (MFA)\nrule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA\nrules are regularly modified in your organization."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Modify Okta Network Zone",
+    "description": "Okta network zones can be configured to limit or restrict access to a network\nbased on IP addresses or geolocations. An adversary may attempt to modify,\ndelete, or deactivate an Okta network zone in order to remove or weaken an\norganization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your\norganization's Okta network zones are regularly modified."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Modify Okta Policy",
+    "description": "An adversary may attempt to modify an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\nmodify an Okta multi-factor authentication (MFA) policy in order to weaken the\nauthentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta\npolicies are regularly modified in your organization."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Reset MFA Factors for Okta User Account",
+    "description": "An adversary may attempt to remove the multi-factor authentication (MFA)\nfactors registered on an Okta user's account in order to register new MFA\nfactors and abuse the account to blend in with normal activity in the victim's\nenvironment.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if the MFA\nfactors for Okta user accounts are regularly reset in your organization."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempt to Revoke Okta API Token",
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to\nrevoke or delete an Okta API token to disrupt an organization's business\noperations.",
+    "false_positives": [
+      "If the behavior of revoking Okta API tokens is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempted Bypass of Okta MFA",
+    "description": "An adversary may attempt to bypass the Okta multi-factor authentication (MFA)\npolicies configured for an organization in order to obtain unauthorized access\nto an application. This rule detects when an Okta MFA bypass attempt occurs.",
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Attempts to Brute Force an Okta User Account",
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Automation Account Created",
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Automation Runbook Created or Modified",
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Automation Runbook Deleted",
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Automation Webhook Created",
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Blob Container Access Level Modification",
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Command Execution on Virtual Machine",
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
+    "false_positives": [
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Conditional Access Policy Modified",
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Diagnostic Settings Deletion",
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
+    "false_positives": [
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Event Hub Deletion",
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure External Guest User Invitation",
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
+    "false_positives": [
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Firewall Policy Deletion",
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
+    "false_positives": [
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Key Vault Modified",
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
+    "false_positives": [
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Network Watcher Deletion",
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Privilege Identity Management Role Modified",
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Resource Group Deletion",
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
+    "false_positives": [
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Azure Storage Account Key Regenerated",
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ]
+  },
+  {
+    "name": "Base64 Encoding/Decoding Activity",
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ]
+  },
+  {
+    "name": "Bypass UAC via Event Viewer",
+    "description": "Identifies User Account Control (UAC) bypass via `eventvwr.exe.` Attackers\nbypass UAC to stealthily execute code with elevated permissions."
+  },
+  {
+    "name": "Bypass UAC via Sdclt",
+    "description": "Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions."
+  },
+  {
+    "name": "Clearing Windows Event Logs",
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by\nattackers in an attempt to evade detection or destroy forensic evidence on a\nsystem."
+  },
+  {
+    "name": "Cobalt Strike Command and Control Beacon",
+    "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
+    ],
+    "note": "This activity has been observed in FIN7 campaigns."
+  },
+  {
+    "name": "Command Prompt Network Connection",
+    "description": "Identifies `cmd.exe` making a network connection. Adversaries can abuse\n`cmd.exe` to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ]
+  },
+  {
+    "name": "Compression of Keychain Credentials Directories",
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos."
+  },
+  {
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection."
+  },
+  {
+    "name": "Connection to External Network via Telnet",
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ]
+  },
+  {
+    "name": "Connection to Internal Network via Telnet",
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ]
+  },
+  {
+    "name": "Creation of Hidden Files and Directories",
+    "description": "Users can mark specific files as hidden simply by adding a `.` as the first\ncharacter in the file or folder name. Adversaries can use this to their\nadvantage to hide files and folders on the system for persistence and defense\nevasion. This rule looks for hidden files or folders in common writable\ndirectories.",
+    "false_positives": [
+      "Certain tools may create hidden temporary files or directories upon\ninstallation or as part of their normal behavior. These events can be filtered\nby the process arguments, username, or process name values."
+    ]
+  },
+  {
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
+    "note": "Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys."
+  },
+  {
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines."
+  },
+  {
+    "name": "Credential Dumping - Detected - Endpoint Security",
+    "description": "Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Credential Dumping - Prevented - Endpoint Security",
+    "description": "Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Credential Manipulation - Detected - Endpoint Security",
+    "description": "Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Credential Manipulation - Prevented - Endpoint Security",
+    "description": "Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "DNS Activity to the Internet",
+    "description": "Detects when an internal network client sends DNS traffic directly to the\nInternet. This is atypical behavior for a managed network, and can be indicative\nof malware, exfiltration, command and control, or, simply, misconfiguration.\nThis DNS activity also impacts your organization's ability to provide enterprise\nmonitoring and logging of DNS, and opens your network to a variety of abuses and\nmalicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ]
+  },
+  {
+    "name": "DNS Tunneling",
+    "description": "Detects unusually large numbers of DNS queries for a single top-level DNS\ndomain, which is often used for DNS tunneling. DNS tunneling can be used for\ncommand-and-control, persistence, or data exfiltration activity. For example,\n`dnscat` tends to generate many DNS questions for a top-level domain as it uses\nthe DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ]
+  },
+  {
+    "name": "Delete Volume USN Journal with Fsutil",
+    "description": "Identifies use of the `fsutil.exe` to delete the `USNJRNL` volume. This\ntechnique is used by attackers to eliminate evidence of files created during\npost-exploitation activities."
+  },
+  {
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "description": "Identifies use of the `wbadmin.exe` to delete the backup catalog. Ransomware and\nother malware may do this to prevent system recovery."
+  },
+  {
+    "name": "Deletion of Bash Command Line History",
+    "description": "Adversaries may attempt to clear the bash command line history in an attempt to\nevade detection or forensic investigations."
+  },
+  {
+    "name": "Direct Outbound SMB Connection",
+    "description": "Identifies unexpected processes making network connections over port 445.\nWindows File Sharing is typically implemented over Server Message Block (SMB),\nwhich communicates between hosts using port 445. When legitimate, these network\nconnections are established by the kernel. Processes making 445/tcp connections\nmay be port scanners, exploits, or suspicious user-level processes moving\nlaterally."
+  },
+  {
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "description": "Identifies use of the `netsh.exe` to disable or weaken the local firewall.\nAttackers will use this command line tool to disable the firewall during\ntroubleshooting or to enable network mobility."
+  },
+  {
+    "name": "Encoding or Decoding Files via CertUtil",
+    "description": "Identifies the use of `certutil.exe` to encode or decode data. CertUtil is a\nnative Windows component which is part of Certificate Services. CertUtil is\noften abused by attackers to encode or decode base64 data for stealthier command\nand control or exfiltration."
+  },
+  {
+    "name": "Endpoint Security",
+    "description": "Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts."
+  },
+  {
+    "name": "Enumeration of Kernel Modules",
+    "description": "Identifies attempts to enumerate information about a kernel module. Loadable\nKernel Modules (LKMs) are pieces of code that can be loaded and unloaded into\nthe kernel upon demand. They extend the functionality of the kernel without the\nneed to reboot the system.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ]
+  },
+  {
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications."
+  },
+  {
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications."
+  },
+  {
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use."
+  },
+  {
+    "name": "Execution via Regsvcs/Regasm",
+    "description": "`RegSvcs.exe` and `RegAsm.exe` are Windows command line utilities that are used\nto register .NET Component Object Model (COM) assemblies. Adversaries can use\n`RegSvcs.exe` and `RegAsm.exe` to proxy execution of code through a trusted\nWindows utility."
+  },
+  {
+    "name": "Exploit - Detected - Endpoint Security",
+    "description": "Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Exploit - Prevented - Endpoint Security",
+    "description": "Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "External Alerts",
+    "description": "Generates a detection alert for each external alert written to the configured\nsecuritySolution:defaultIndex. Enabling this rule allows you to immediately\nbegin investigating external alerts in the app."
+  },
+  {
+    "name": "FTP (File Transfer Protocol) Activity to the Internet",
+    "description": "Detects events that may indicate the use of FTP network connections to the\nInternet. The File Transfer Protocol (FTP) has been around in its current form\nsince the 1980s. It can be a common and efficient procedure on your network to\nsend and receive files. Because of this, adversaries will also often use this\nprotocol to exfiltrate data from your network or download new tools.\nAdditionally, FTP is a plain-text protocol which, if intercepted, may expose\nusernames and passwords. FTP activity involving servers subject to regulations\nor compliance standards may be unauthorized.",
+    "false_positives": [
+      "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
+    ]
+  },
+  {
+    "name": "File Deletion via Shred",
+    "description": "Identifies file deletions using the `shred` command. Malware or other files\ndropped or created on a system by an adversary may leave traces behind as to\nwhat was done within a network and how. Adversaries may remove these files over\nthe course of an intrusion to keep their footprint low or remove them at the\nend as part of the post-intrusion cleanup process."
+  },
+  {
+    "name": "File Permission Modification in Writable Directory",
+    "description": "Identifies file permission modifications in common writable directories by a\nnon-root user. Adversaries often drop files or payloads into a writable\ndirectory, and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ]
+  },
+  {
+    "name": "GCP Firewall Rule Creation",
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
+    "false_positives": [
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Firewall Rule Deletion",
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Firewall Rule Modification",
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP IAM Custom Role Creation",
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP IAM Role Deletion",
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
+    "false_positives": [
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP IAM Service Account Key Deletion",
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Logging Bucket Deletion",
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Logging Sink Deletion",
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Logging Sink Modification",
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Pub/Sub Subscription Creation",
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Pub/Sub Subscription Deletion",
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Pub/Sub Topic Creation",
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Pub/Sub Topic Deletion",
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Service Account Creation",
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Service Account Deletion",
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Service Account Disabled",
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Service Account Key Creation",
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
+    "false_positives": [
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Storage Bucket Configuration Modification",
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
+    "false_positives": [
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Storage Bucket Deletion",
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Storage Bucket Permissions Modification",
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Virtual Private Cloud Network Deletion",
+    "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
+    "false_positives": [
+      "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "note": "The GCP Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Halfbaked Command and Control Beacon",
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "note": "This activity has been observed in FIN7 campaigns."
+  },
+  {
+    "name": "Hex Encoding/Decoding Activity",
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ]
+  },
+  {
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Hosts File Modified",
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml."
+  },
+  {
+    "name": "Hping Process Activity",
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has\nthe ability to construct network packets for a wide variety of network security\ntesting applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ]
+  },
+  {
+    "name": "IIS HTTP Logging Disabled",
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure."
+  },
+  {
+    "name": "IPSEC NAT Traversal Port Activity",
+    "description": "Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a\nVPN technology that allows one system to talk to another using encrypted\ntunnels. NAT Traversal enables these tunnels to communicate over the Internet\nwhere one of the sides is behind a NAT router gateway. This may be common on\nyour network, but this technique is also used by threat actors to avoid\ndetection.",
+    "false_positives": [
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+    ]
+  },
+  {
+    "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
+    "description": "Detects events that use common ports for Internet Relay Chat (IRC) to the\nInternet. IRC is a common protocol that can be used for chat and file transfers.\nThis protocol is also a good candidate for remote control of malware and data\ntransfers to and from a network.",
+    "false_positives": [
+      "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
+    ]
+  },
+  {
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation."
+  },
+  {
+    "name": "InstallUtil Process Making Network Connections",
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection."
+  },
+  {
+    "name": "Installation of Custom Shim Databases",
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes."
+  },
+  {
+    "name": "Interactive Terminal Spawned via Perl",
+    "description": "Identifies when a terminal (`tty`) is spawned via Perl. Attackers may upgrade a\nsimple reverse shell to a fully interactive `tty` after obtaining initial\naccess to a host."
+  },
+  {
+    "name": "Interactive Terminal Spawned via Python",
+    "description": "Identifies when a terminal (`tty`) is spawned via Python. Attackers may upgrade\na simple reverse shell to a fully interactive `tty` after obtaining initial\naccess to a host."
+  },
+  {
+    "name": "Kerberos Cached Credentials Dumping",
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets."
+  },
+  {
+    "name": "Kernel Module Removal",
+    "description": "Identifies attempts to remove a kernel module. Kernel modules are pieces of\ncode that can be loaded and unloaded into the kernel upon demand. They extend\nthe functionality of the kernel without the need to reboot the system.",
+    "false_positives": [
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ]
+  },
+  {
+    "name": "Local Scheduled Task Commands",
+    "description": "A scheduled task can be used by an adversary to establish persistence, move\nlaterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ]
+  },
+  {
+    "name": "Local Service Commands",
+    "description": "Identifies use of `sc.exe` to create, modify, or start services on remote hosts.\nThis could be indicative of adversary lateral movement but will be noisy if\ncommonly done by admins."
+  },
+  {
+    "name": "Malware - Detected - Endpoint Security",
+    "description": "Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Malware - Prevented - Endpoint Security",
+    "description": "Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically\nlinked libraries) responsible for Windows credential management. This technique\nis sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ]
+  },
+  {
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script\nor the Visual C# Command Line Compiler. This technique is sometimes used to\ndeploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ]
+  },
+  {
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or\nthe Windows command interpreter. This behavior is unusual and is sometimes used\nby malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ]
+  },
+  {
+    "name": "Microsoft Build Engine Started by a System Process",
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or\nthe WMI (Windows Management Instrumentation) subsystem. This behavior is unusual\nand is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ]
+  },
+  {
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or\nWord. This is unusual behavior for the Build Engine and could have been caused\nby an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ]
+  },
+  {
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being\nrenamed. This is uncommon behavior and may indicate an attempt to run MSBuild\nunnoticed or undetected.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ]
+  },
+  {
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command."
+  },
+  {
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd."
+  },
+  {
+    "name": "Mimikatz Memssp Log File Detected",
+    "description": "Identifies the password log file from the default Mimikatz memssp module."
+  },
+  {
+    "name": "Mknod Process Activity",
+    "description": "The Linux `mknod` program is sometimes used in the command payload of a remote\ncommand injection (RCI) and other exploits. It is used to export a command shell\nwhen the traditional version of `netcat` is not available to the payload.",
+    "false_positives": [
+      "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ]
+  },
+  {
+    "name": "Modification of Boot Configuration",
+    "description": "Identifies use of `bcdedit.exe` to delete boot configuration data. Malware and\nattackers sometimes use this tactic as a destructive technique."
+  },
+  {
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
+    "description": "An adversary may attempt to modify or delete the sign on policy for an Okta\napplication in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on\npolicies for Okta applications are regularly modified or deleted in your\norganization."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "MsBuild Making Network Connections",
+    "description": "Identifies `MsBuild.exe` making outbound network connections. This may indicate\nadversarial activity as MsBuild is often leveraged by adversaries to execute\ncode and evade detection."
+  },
+  {
+    "name": "MsBuild Network Connection Sequence",
+    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection."
+  },
+  {
+    "name": "MsXsl Making Network Connections",
+    "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection."
+  },
+  {
+    "name": "Mshta Making Network Connections",
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection."
+  },
+  {
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Net command via SYSTEM account",
+    "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a\ncomponent of the Windows operating system. It is used in command line operations\nfor control of users, groups, services, and network connections."
+  },
+  {
+    "name": "Netcat Network Activity",
+    "description": "A `netcat` process is engaging in network activity on a Linux host. Netcat is\noften used as a persistence mechanism by exporting a reverse shell or by serving\na shell on a listening port. Netcat is also sometimes used for data\nexfiltration.",
+    "false_positives": [
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    ]
+  },
+  {
+    "name": "Network Connection via Certutil",
+    "description": "Identifies `certutil.exe` making a network connection. Adversaries could abuse\n`certutil.exe` to download a certificate or malware from a remote URL."
+  },
+  {
+    "name": "Network Connection via Compiled HTML File",
+    "description": "Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft\nHTML Help system. Adversaries may conceal malicious code in a CHM file and\ndeliver it to a victim for execution. CHM content is loaded by the HTML Help\nexecutable program (`hh.exe`)."
+  },
+  {
+    "name": "Network Connection via MsXsl",
+    "description": "Identifies `msxsl.exe` making a network connection. This may indicate\nadversarial activity as `msxsl.exe` is often leveraged by adversaries to\nexecute malicious scripts and evade detection."
+  },
+  {
+    "name": "Network Connection via Mshta",
+    "description": "Identifies `mshta.exe` making a network connection. This may indicate\nadversarial activity as `mshta.exe` is often leveraged by adversaries to execute\nmalicious scripts and evade detection."
+  },
+  {
+    "name": "Network Connection via Registration Utility",
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+    "false_positives": [
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+    ]
+  },
+  {
+    "name": "Network Connection via Signed Binary",
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems\nprotected by digital signature validation. Adversaries may use these binaries to\n'live off the land' and execute malicious files that could bypass application\nallowlists and signature validation."
+  },
+  {
+    "name": "Network Sniffing via Tcpdump",
+    "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or\npacket sniffing tool that can be used to capture insecure credentials or data in\nmotion. Sniffing can also be used to discover details of network services as a\nprelude to lateral movement or defense evasion.",
+    "false_positives": [
+      "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
+    ]
+  },
+  {
+    "name": "Nmap Process Activity",
+    "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and\nsecurity testing. It can map and discover networks, and identify listening\nservices and operating systems. It is sometimes used to gather information in\nsupport of exploitation, execution or lateral movement.",
+    "false_positives": [
+      "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon."
+    ]
+  },
+  {
+    "name": "Nping Process Activity",
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the\nability to construct raw packets for a wide variety of security testing\napplications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ]
+  },
+  {
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "PPTP (Point to Point Tunneling Protocol) Activity",
+    "description": "Detects events that may indicate use of a PPTP VPN connection. Some threat\nactors use these types of connections to tunnel their traffic while avoiding\ndetection.",
+    "false_positives": [
+      "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
+    ]
+  },
+  {
+    "name": "Permission Theft - Detected - Endpoint Security",
+    "description": "Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Permission Theft - Prevented - Endpoint Security",
+    "description": "Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Persistence via Kernel Module Modification",
+    "description": "Identifies loadable kernel module errors, which are often indicative of\npotential persistence attempts.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon."
+    ]
+  },
+  {
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system."
+  },
+  {
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM."
+  },
+  {
+    "name": "Possible Consent Grant Attack via Azure-Registered Application",
+    "description": "Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
+    "note": "- The Azure Filebeat module must be enabled to use this rule.\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items."
+  },
+  {
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`."
+  },
+  {
+    "name": "Possible Okta DoS Attack",
+    "description": "An adversary may attempt to disrupt an organization's business operations by\nperforming a denial of service (DoS) attack against its Okta infrastructure.",
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Potential Application Shimming via Sdbinst",
+    "description": "The Application Shim was created to allow for backward compatibility of software\nas the operating system codebase changes over time. This Windows functionality\nhas been abused by attackers to stealthily gain persistence and arbitrary code\nexecution in legitimate Windows processes."
+  },
+  {
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes."
+  },
+  {
+    "name": "Potential DNS Tunneling via Iodine",
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over\nthe DNS protocol to circumvent firewalls, network security groups, and network\naccess lists while evading detection.",
+    "false_positives": [
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ]
+  },
+  {
+    "name": "Potential Disabling of SELinux",
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux),\nwhich is a Linux kernel security feature that supports access control policies.\nAdversaries may disable security tools to avoid possible detection of their\ntools and activities."
+  },
+  {
+    "name": "Potential Evasion via Filter Manager",
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by\nadversaries to unload a filter driver and evade defenses."
+  },
+  {
+    "name": "Potential Modification of Accessibility Binaries",
+    "description": "Windows contains accessibility features that may be launched with a key\ncombination before a user has logged in. An adversary can modify the way these\nprograms are launched to get a command prompt or backdoor without logging in to\nthe system."
+  },
+  {
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "note": "Verify process details such as command line and hash to confirm this activity legitimacy."
+  },
+  {
+    "name": "Potential Shell via Web Server",
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a\nvulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ]
+  },
+  {
+    "name": "PowerShell spawning Cmd",
+    "description": "Identifies a suspicious parent child process relationship with `cmd.exe`\ndescending from `PowerShell.exe`."
+  },
+  {
+    "name": "Process Activity via Compiled HTML File",
+    "description": "Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft\nHTML Help system. Adversaries may conceal malicious code in a CHM file and\ndeliver it to a victim for execution. CHM content is loaded by the HTML Help\nexecutable program (`hh.exe`).",
+    "false_positives": [
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ]
+  },
+  {
+    "name": "Process Discovery via Tasklist",
+    "description": "Adversaries may attempt to get information about running processes on a system.",
+    "false_positives": [
+      "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes."
+    ]
+  },
+  {
+    "name": "Process Injection - Detected - Endpoint Security",
+    "description": "Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Process Injection - Prevented - Endpoint Security",
+    "description": "Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Process Injection by the Microsoft Build Engine",
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another\nprocess. This technique is sometimes used to evade detection or elevate\nprivileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ]
+  },
+  {
+    "name": "Process Potentially Masquerading as WerFault",
+    "description": "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed.",
+    "false_positives": [
+      "Legit Application Crash with rare Werfault commandline value"
+    ]
+  },
+  {
+    "name": "Proxy Port Activity to the Internet",
+    "description": "Detects events that may describe network events of proxy use to the Internet. It\nincludes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments\nwill use an internal IP address for a proxy server. It can also be used to\ncircumvent network controls and detection mechanisms.",
+    "false_positives": [
+      "Some proxied applications may use these ports but this usually occurs in local\ntraffic using private IPs which this rule does not match. Proxies are widely\nused as a security technology but in enterprise environments this is usually\nlocal traffic which this rule does not match. If desired, internet proxy\nservices using these ports can be added to allowlists. Some screen recording\napplications may use these ports.\n\nProxy port activity involving an unusual source or destination may be more\nsuspicious. Some cloud environments may use this port when VPNs or direct\nconnects are not in use and cloud instances are accessed across the Internet.\nBecause these ports are in the ephemeral range, this rule may false under\ncertain conditions such as when a NATed web server replies to a client which has\nused a port in the range by coincidence. In this case, such servers can be\nexcluded if desired."
+    ]
+  },
+  {
+    "name": "PsExec Network Connection",
+    "description": "Identifies use of the SysInternals tool `PsExec.exe` making a network\nconnection. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ]
+  },
+  {
+    "name": "Public IP Reconnaissance Activity",
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert."
+  },
+  {
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "description": "Detects network events that may indicate the use of RDP traffic from the\nInternet. RDP is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ]
+  },
+  {
+    "name": "RDP (Remote Desktop Protocol) to the Internet",
+    "description": "Detects network events that may indicate the use of RDP traffic to the Internet.\nRDP is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ]
+  },
+  {
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "description": "Detects network events that may indicate the use of RPC traffic from the\nInternet. RPC is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector."
+  },
+  {
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "description": "Detects network events that may indicate the use of RPC traffic to the Internet.\nRPC is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector."
+  },
+  {
+    "name": "Ransomware - Detected - Endpoint Security",
+    "description": "Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Ransomware - Prevented - Endpoint Security",
+    "description": "Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information."
+  },
+  {
+    "name": "Rare AWS Error Code",
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These\ncan be byproducts of attempted or successful persistence, privilege escalation,\ndefense evasion, discovery, lateral movement, or collection.",
+    "false_positives": [
+      "Rare and unusual errors may indicate an impending service failure state. Rare\nand unusual user error activity can also be due to manual troubleshooting or\nreconfiguration attempts by insufficiently privileged users, bugs in cloud\nautomation scripts or workflows, or changes to IAM privileges."
+    ],
+    "note": "Alerts from this rule indicate a rare and unusual error code that is\nassociated with the response to an AWS API command or method call. Here are\nsome possible avenues of investigation:\n\n* Examine the history of the error. Has it manifested before? If the error,\nwhich is visible in the `aws.cloudtrail.error_code field`, manifested only very\nrecently, it might be related to recent changes in an automation module or\nscript.\n* Examine the request parameters. These may provide indications as to the\nnature of the task being performed when the error occurred. Is the error\nrelated to unsuccessful attempts to enumerate or access objects, data, or\nsecrets? If so, this can sometimes be a byproduct of discovery, privilege\nescalation, or lateral movement attempts.\n* Consider the user as identified in the `user.name` field. Is this activity\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?"
+  },
+  {
+    "name": "Registration Tool Making Network Connections",
+    "description": "Identifies registration utilities making outbound network connections. This includes regsvcs, regasm, and regsvr32. This may indicate adversarial activity as these tools are often leveraged by adversaries to execute code and evade detection."
+  },
+  {
+    "name": "Remote File Copy via TeamViewer",
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session."
+  },
+  {
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil."
+  },
+  {
+    "name": "Remote File Download via MpCmdRun",
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "note": "Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`."
+  },
+  {
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "description": "Detects use of the systemsetup command to enable remote SSH Login."
+  },
+  {
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection."
+  },
+  {
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+    "false_positives": [
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
+    ],
+    "note": "This activity has been observed in FIN7 campaigns."
+  },
+  {
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "description": "Detects network events that may indicate the use of Windows file sharing (also\ncalled SMB or CIFS) traffic to the Internet. SMB is commonly used within\nnetworks to share files, printers, and other system resources amongst trusted\nsystems. It should almost never be directly exposed to the Internet, as it is\nfrequently targeted and exploited by threat actors as an initial access or back-\ndoor vector or for data exfiltration."
+  },
+  {
+    "name": "SMTP on Port 26/TCP",
+    "description": "Detects events that may indicate use of SMTP on TCP port 26. This port is\ncommonly used by several popular mail transfer agents to deconflict with the\ndefault SMTP port 25. This port has also been used by a malware family called\nBadPatch for command and control of Windows systems.",
+    "false_positives": [
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ]
+  },
+  {
+    "name": "SMTP to the Internet",
+    "description": "Detects events that may describe SMTP traffic from internal hosts to a host\nacross the Internet. In an enterprise network, there is typically a dedicated\ninternal host that performs this function. It is also frequently abused by\nthreat actors for command and control, or data exfiltration.",
+    "false_positives": [
+      "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
+    ]
+  },
+  {
+    "name": "SQL Traffic to the Internet",
+    "description": "Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and\nPostgresql) across the Internet. Databases should almost never be directly\nexposed to the Internet, as they are frequently targeted by threat actors to\ngain initial access to network resources.",
+    "false_positives": [
+      "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
+    ]
+  },
+  {
+    "name": "SSH (Secure Shell) from the Internet",
+    "description": "Detects network events that may indicate the use of SSH traffic from the\nInternet. SSH is commonly used by system administrators to remotely control a\nsystem using the command line shell. If it is exposed to the Internet, it should\nbe done with strong security controls as it is frequently targeted and exploited\nby threat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ]
+  },
+  {
+    "name": "SSH (Secure Shell) to the Internet",
+    "description": "Detects network events that may indicate the use of SSH traffic to the Internet.\nSSH is commonly used by system administrators to remotely control a system using\nthe command line shell. If it is exposed to the Internet, it should be done with\nstrong security controls as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ]
+  },
+  {
+    "name": "Service Command Lateral Movement",
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins."
+  },
+  {
+    "name": "Setgid Bit Set via chmod",
+    "description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future."
+  },
+  {
+    "name": "Setuid Bit Set via chmod",
+    "description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future."
+  },
+  {
+    "name": "Socat Process Activity",
+    "description": "A Socat process is running on a Linux host. Socat is often used as a persistence\nmechanism by exporting a reverse shell, or by serving a shell on a listening\nport. Socat is also sometimes used for lateral movement.",
+    "false_positives": [
+      "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ]
+  },
+  {
+    "name": "Spike in AWS Error Messages",
+    "description": "A machine learning job detected a significant spike in the rate of a particular\nerror in the CloudTrail messages. Spikes in error messages may accompany\nattempts at privilege escalation, lateral movement, or discovery.",
+    "false_positives": [
+      "Spikes in error message activity can also be due to bugs in cloud automation\nscripts or workflows, changes to cloud automation scripts or workflows,\nadoption of new services, changes in the way services are used, or changes to\nIAM privileges."
+    ],
+    "note": "Alerts from this rule indicate a large spike in the number of CloudTrail log\nmessages that contain a particular error message. The error message in question\nis associated with the response to an AWS API command or method call. Here are\nsome possible avenues of investigation:\n\n* Examine the history of the error. Has it manifested before? If the error,\nwhich is visible in the `aws.cloudtrail.error_message` field, manifested only\nvery recently, it might be related to recent changes in an automation module or\nscript.\n* Examine the request parameters. These may provide indications as to the\nnature of the task being performed when the error occurred. Is the error\nrelated to unsuccessful attempts to enumerate or access objects, data or\nsecrets? If so, this can sometimes be a byproduct of discovery, privilege\nescalation or lateral movement attempts.\n* Consider the user as identified by the `user.name` field. Is this activity\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?"
+  },
+  {
+    "name": "Strace Process Activity",
+    "description": "Strace runs in a privileged context and can be used to escape restrictive\nenvironments by instantiating a shell in order to elevate privileges or move\nlaterally.",
+    "false_positives": [
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+    ]
+  },
+  {
+    "name": "Sudoers File Modification",
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges."
+  },
+  {
+    "name": "Suspicious .NET Code Compilation",
+    "description": "Identifies suspicious .NET code execution. connections."
+  },
+  {
+    "name": "Suspicious Activity Reported by Okta User",
+    "description": "This rule detects when a user reports suspicious activity for their Okta\naccount. These events should be investigated, as they can help security teams\nidentify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Suspicious Endpoint Security Parent Process",
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection."
+  },
+  {
+    "name": "Suspicious MS Office Child Process",
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office\napplications (Word, PowerPoint, Excel). These child processes are often launched\nduring exploitation of Office applications or from documents with malicious\nmacros."
+  },
+  {
+    "name": "Suspicious MS Outlook Child Process",
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child\nprocesses are often associated with spear phishing activity."
+  },
+  {
+    "name": "Suspicious Managed Code Hosting Process",
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution."
+  },
+  {
+    "name": "Suspicious PDF Reader Child Process",
+    "description": "Identifies suspicious child processes of PDF reader applications. These child\nprocesses are often launched via exploitation of PDF applications or social\nengineering."
+  },
+  {
+    "name": "Suspicious Powershell Script",
+    "description": "A machine learning job detected a PowerShell script with unusual data\ncharacteristics, such as obfuscation, that may be a characteristic of malicious\nPowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ]
+  },
+  {
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched."
+  },
+  {
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched."
+  },
+  {
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection."
+  },
+  {
+    "name": "Suspicious Process from Conhost",
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity."
+  },
+  {
+    "name": "Suspicious WMIC XSL Script Execution",
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass."
+  },
+  {
+    "name": "Suspicious WerFault Child Process",
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows Error Reporting Debugger"
+    ]
+  },
+  {
+    "name": "Suspicious Zoom Child Process",
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
+    "false_positives": [
+      "New Zoom Executable"
+    ]
+  },
+  {
+    "name": "Svchost spawning Cmd",
+    "description": "Identifies a suspicious parent-child process relationship with cmd.exe\ndescending from `svchost.exe`."
+  },
+  {
+    "name": "System Shells via Services",
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege\nescalation opportunity. Malware or penetration testers may run a shell as a\nservice to gain SYSTEM permissions."
+  },
+  {
+    "name": "TCP Port 8000 Activity to the Internet",
+    "description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you\nare running software like this on the Internet, you should consider placing it\nbehind a reverse proxy.",
+    "false_positives": [
+      "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
+    ]
+  },
+  {
+    "name": "Telnet Port Activity",
+    "description": "Detects network events that may indicate the use of Telnet traffic. Telnet is\ncommonly used by system administrators to remotely control older or embedded\nsystems using the command line shell. It should almost never be directly exposed\nto the Internet, as it is frequently targeted and exploited by threat actors as\nan initial access or back-door vector. As a plain-text protocol, it may also\nexpose usernames and passwords to anyone capable of observing the traffic.",
+    "false_positives": [
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ]
+  },
+  {
+    "name": "Threat Detected by Okta ThreatInsight",
+    "description": "This rule detects when Okta ThreatInsight identifies a request from a malicious\nIP address. Investigating requests from IP addresses identified as malicious by\nOkta ThreatInsight can help security teams monitor for and respond to\ncredential-based attacks against their organization, such as brute-force and\npassword-spraying attacks.",
+    "note": "The Okta Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "Tor Activity to the Internet",
+    "description": "Detects network events that may indicate the use of Tor traffic to the Internet.\nTor is a network protocol that sends traffic through a series of encrypted\ntunnels used to conceal a user's location and usage. Tor may be used by threat\nactors as an alternate communication pathway to conceal the actor's identity and\navoid detection.",
+    "false_positives": [
+      "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired."
+    ]
+  },
+  {
+    "name": "Trusted Developer Application Usage",
+    "description": "Identifies possibly suspicious activity using a trusted Windows developer\nutility program.",
+    "false_positives": [
+      "These programs may be used by Windows developers but use by non-engineers is unusual."
+    ]
+  },
+  {
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions."
+  },
+  {
+    "name": "Unusual AWS Command for a User",
+    "description": "A machine learning job detected an AWS API command that, while not inherently\nsuspicious or abnormal, is being made by a user that does not normally use the\ncommand. This can be the result of compromised credentials or keys as someone\nuses a valid account to persist, move laterally, or exfiltrate data.",
+    "false_positives": [
+      "New or unusual user command activity can be due to manual troubleshooting or\nreconfiguration, changes in cloud automation scripts or workflows, adoption of\nnew services, or changes in the way services are used."
+    ],
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the calling IAM user. Here are some possible avenues of\ninvestigation:\n\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action field`, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing."
+  },
+  {
+    "name": "Unusual Child Process from a System Virtual Process",
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection."
+  },
+  {
+    "name": "Unusual Child Process of dns.exe",
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "note": "Detection alerts from this rule indicate potential suspicious child processes\nspawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are\nsome possible avenues of investigation:\n\n* Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n* Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n* If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n* Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint."
+  },
+  {
+    "name": "Unusual Child Processes of RunDLL32",
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity."
+  },
+  {
+    "name": "Unusual City For an AWS Command",
+    "description": "A machine learning job detected AWS command activity that, while not inherently\nsuspicious or abnormal, is sourcing from a geolocation (city) that is unusual\nfor the command. This can be the result of compromised credentials or keys\nbeing used by a threat actor in a different location from the authorized users.",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual\ntroubleshooting or reconfiguration, changes in cloud automation scripts or\nworkflows, adoption of new services, expansion into new regions, increased\nadoption of work from home policies, or users who travel frequently."
+    ],
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the geolocation of the source IP address. Here are some\npossible avenues of investigation:\n\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action` field, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing."
+  },
+  {
+    "name": "Unusual Country For an AWS Command",
+    "description": "A machine learning job detected AWS command activity that, while not inherently\nsuspicious or abnormal, is sourcing from a geolocation (country) that is\nunusual for the command. This can be the result of compromised credentials or\nkeys being used by a threat actor in a different location from the authorized\nusers.",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual\ntroubleshooting or reconfiguration, changes in cloud automation scripts or\nworkflows, adoption of new services, expansion into new regions, increased\nadoption of work from home policies, or users who travel frequently."
+    ],
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the geolocation of the source IP address. Here are some\npossible avenues of investigation:\n\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action` field, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing."
+  },
+  {
+    "name": "Unusual DNS Activity",
+    "description": "A machine learning job detected a rare and unusual DNS query that indicates\nnetwork activity with unusual DNS domains. This can be due to initial access,\npersistence, command-and-control, or exfiltration activity. For example, when a\nuser clicks on a link in a phishing email or opens a malicious document, a\nrequest may be sent to download and run a payload from an uncommon domain. When\nmalware is already running, it may send requests to an uncommon DNS domain the\nmalware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation."
+  },
+  {
+    "name": "Unusual File Modification by dns.exe",
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "note": "Detection alerts from this rule indicate potential unusual/abnormal file writes\nfrom the DNS Server service process (`dns.exe`) after exploitation from\nCVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of\ninvestigation:\n\n* Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. \n* Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care."
+  },
+  {
+    "name": "Unusual Linux Network Activity",
+    "description": "Identifies Linux processes that do not usually use the network but have\nunexpected network activity, which can indicate command-and-control, lateral\nmovement, persistence, or data exfiltration activity. A process with unusual\nnetwork activity can denote process exploitation or injection, where the process\nis used to run persistence mechanisms that allow a malicious actor remote access\nor control of the host, data exfiltration, and execution of unauthorized network\napplications.",
+    "note": "Alerts from this rule indicate the presence of network activity from a Linux\nprocess for which network activity is rare and unusual.  Here are some possible\navenues of investigation:\n\n* Consider the IP addresses and ports. Are these used by normal but infrequent\nnetwork workflows? Are they expected or unexpected?\n* If the destination IP address is remote or external, does it associate with\nan expected domain, organization or geography?\n+\nNOTE: Avoid interacting directly with suspected malicious IP addresses. \n\n* Consider the user as identified by the username field. Is this network\nactivity part of an expected workflow for the user who ran the program?\n* Examine the history of execution. If this process manifested only\nvery recently, it might be part of a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business or maintenance process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming."
+  },
+  {
+    "name": "Unusual Linux Network Connection Discovery",
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Network Connections Discovery\n** ID: T1049\n** Reference URL: https://attack.mitre.org/techniques/T1049/"
+    ]
+  },
+  {
+    "name": "Unusual Linux Network Port Activity",
+    "description": "Identifies unusual destination port activity that can indicate command-and-\ncontrol, persistence mechanism, or data exfiltration activity. Rarely used\ndestination port activity is generally unusual in Linux fleets, and can indicate\nunauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Linux Network Service",
+    "description": "Identifies unusual listening ports on Linux instances that can indicate\nexecution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Linux Process Discovery Activity",
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: Process Discovery\n** ID: T1057\n** Reference URL: https://attack.mitre.org/techniques/T1057/"
+    ]
+  },
+  {
+    "name": "Unusual Linux System Information Discovery Activity",
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Information Discovery\n** ID: T1082\n** Reference URL: https://attack.mitre.org/techniques/T1082/"
+    ]
+  },
+  {
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Network Configuration Discovery\n** ID: T1016\n** Reference URL: https://attack.mitre.org/techniques/T1016/"
+    ]
+  },
+  {
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Owner/User Discovery\n** ID: T1033\n** Reference URL: https://attack.mitre.org/techniques/T1033/"
+    ]
+  },
+  {
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ]
+  },
+  {
+    "name": "Unusual Linux Username",
+    "description": "A machine learning job detected activity for a username that is not normally\nactive, which can indicate unauthorized changes, activity by unauthorized users,\nlateral movement, or compromised credentials. In many organizations, new\nusernames are not often created apart from specific types of system activities,\nsuch as creating new accounts for new employees. These user accounts quickly\nbecome active and routine. Events from rarely used usernames can point to\nsuspicious activity. Additionally, automated Linux fleets tend to see activity\nfrom rarely used usernames only when personnel log in to make authorized or\nunauthorized changes, or threat actors have acquired credentials and log in for\nmalicious purposes. Unusual usernames can also indicate pivoting, where\ncompromised credentials are used to try and move laterally from one host to\nanother.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "note": "Alerts from this rule indicate activity for a Linux user name that is rare and\nunusual. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host? Could\nthis be related to troubleshooting or debugging activity by a developer or site\nreliability engineer?\n* Examine the history of user activity. If this user manifested only very\nrecently, it might be a service account for a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks that the\nuser is performing."
+  },
+  {
+    "name": "Unusual Linux Web Activity",
+    "description": "A machine learning job detected an unusual web URL request from a Linux host,\nwhich can indicate malware delivery and execution. Wget and cURL are commonly\nused by Linux programs to download code and data. Most of the time, their usage\nis entirely normal. Generally, because they use a list of URLs, they repeatedly\ndownload from the same locations. However, Wget and cURL are sometimes used to\ndeliver Linux exploit payloads, and threat actors use these tools to download\nadditional software and code. For these reasons, unusual URLs can indicate\nunauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Login Activity",
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection."
+  },
+  {
+    "name": "Unusual Network Connection Sequence via RunDLL32",
+    "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs."
+  },
+  {
+    "name": "Unusual Network Connection via RunDLL32",
+    "description": "Identifies unusual instances of `rundll32.exe` making outbound network\nconnections. This may indicate adversarial activity and may identify malicious\nDLLs."
+  },
+  {
+    "name": "Unusual Network Destination Domain Name",
+    "description": "A machine learning job detected an unusual network destination domain name. This\ncan be due to initial access, persistence, command-and-control, or exfiltration\nactivity. For example, when a user clicks on a link in a phishing email or opens\na malicious document, a request may be sent to download and run a payload from\nan uncommon web server name. When malware is already running, it may send\nrequests to an uncommon DNS domain the malware uses for command-and-control\ncommunication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ]
+  },
+  {
+    "name": "Unusual Parent Process for cmd.exe",
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
+  },
+  {
+    "name": "Unusual Parent-Child Relationship",
+    "description": "Identifies Windows programs run from unexpected parent processes. This could\nindicate masquerading or other strange activity on a system."
+  },
+  {
+    "name": "Unusual Process Calling the Metadata Service",
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ]
+  },
+  {
+    "name": "Unusual Process Execution - Temp",
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by\nadversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ]
+  },
+  {
+    "name": "Unusual Process For a Linux Host",
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can\nindicate execution of unauthorized services, malware, or persistence mechanisms.\nProcesses are considered rare when they only run occasionally as compared with\nother processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "note": "Alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may\nprovide indications as to the source of the program or the nature of the tasks\nit is performing."
+  },
+  {
+    "name": "Unusual Process For a Windows Host",
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can\nindicate execution of unauthorized services, malware, or persistence mechanisms.\nProcesses are considered rare when they only run occasionally as compared with\nother processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "note": "Alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process metadata like the values of the Company, Description and\nProduct fields which may indicate whether the program is associated with an\nexpected software vendor or package.\n* Examine arguments and working directory. These may provide indications as to\nthe source of the program or the nature of the tasks it is performing.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools."
+  },
+  {
+    "name": "Unusual Process Network Connection",
+    "description": "Identifies network activity from unexpected system applications. This may\nindicate adversarial activity as these applications are often leveraged by\nadversaries to execute code and evade detection."
+  },
+  {
+    "name": "Unusual Sudo Activity",
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Defense Evasion\n** ID: TA0005\n** Reference URL: https://attack.mitre.org/tactics/TA0005/\n* Technique:\n** Name: Abuse Elevation Control Mechanism\n** ID: T1548\n** Reference URL: https://attack.mitre.org/techniques/T1548/\n\n\n* Tactic:\n** Name: Privilege Escalation\n** ID: TA0004\n** Reference URL: https://attack.mitre.org/tactics/TA0004/\n* Technique:\n** Name: Abuse Elevation Control Mechanism\n** ID: T1548\n** Reference URL: https://attack.mitre.org/techniques/T1548/"
+    ]
+  },
+  {
+    "name": "Unusual Web Request",
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual\nweb browsing activity. This can be due to initial access, persistence, command-\nand-control, or exfiltration activity. For example, in a strategic web\ncompromise or watering hole attack, when a trusted website is compromised to\ntarget a particular sector or organization, targeted users may receive emails\nwith uncommon URLs for trusted websites. These URLs can be used to download and\nrun a payload. When malware is already running, it may send requests to uncommon\nURLs on trusted websites the malware uses for command-and-control communication.\nWhen rare URLs are observed being requested for a local web server by a remote\nsource, these can be due to web scanning, enumeration or attack traffic, or they\ncan be due to bots and web scrapers which are part of common Internet background\ntraffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ]
+  },
+  {
+    "name": "Unusual Web User Agent",
+    "description": "A machine learning job detected a rare and unusual user agent indicating web\nbrowsing activity by an unusual process other than a web browser. This can be\ndue to persistence, command-and-control, or exfiltration activity. Uncommon user\nagents coming from remote sources to local destinations are often the result of\nscanners, bots, and web scrapers, which are part of common Internet background\ntraffic. Much of this is noise, but more targeted attacks on websites using\ntools like Burp or SQLmap can sometimes be discovered by spotting uncommon user\nagents. Uncommon user agents in traffic from local sources to remote\ndestinations can be any number of things, including harmless programs like\nweather monitoring or stock-trading programs. However, uncommon user agents from\nlocal sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Windows Network Activity",
+    "description": "Identifies Windows processes that do not usually use the network but have\nunexpected network activity, which can indicate command-and-control, lateral\nmovement, persistence, or data exfiltration activity. A process with unusual\nnetwork activity can denote process exploitation or injection, where the process\nis used to run persistence mechanisms that allow a malicious actor remote access\nor control of the host, data exfiltration, and execution of unauthorized network\napplications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "note": "Alerts from this rule indicate the presence of network activity from a Windows\nprocess for which network activity is very unusual.  Here are some possible\navenues of investigation:\n\n* Consider the IP addresses, protocol and ports. Are these used by normal but\ninfrequent network workflows? Are they expected or unexpected?\n* If the destination IP address is remote or external, does it associate with\nan expected domain, organization or geography? Note: avoid interacting directly\nwith suspected malicious IP addresses.\n* Consider the user as identified by the username field. Is this network\nactivity part of an expected workflow for the user who ran the program?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools."
+  },
+  {
+    "name": "Unusual Windows Path Activity",
+    "description": "Identifies processes started from atypical folders in the file system, which\nmay indicate malware execution or persistence mechanisms. In corporate Windows\nenvironments, software installation is centrally managed and it is unusual for\nprograms to be executed from user or temporary directories. Processes executed\nfrom these locations can denote that a user downloaded software directly from\nthe Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ]
+  },
+  {
+    "name": "Unusual Windows Remote User",
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP)\nusername, which can indicate account takeover or credentialed persistence using\ncompromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual\nusernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "note": "Alerts from this rule indicate activity for a rare and unusual Windows RDP\n(remote desktop) user. Here are some possible avenues of investigation: \n\n* Consider the user as identified by the username field. Is the user part of a\ngroup who normally logs in to Windows hosts using RDP (remote desktop\nprotocol)? Is this logon activity part of an expected workflow for the user? \n* Consider the source of the login. If the source is remote, could this be\nrelated to occasional troubleshooting or support activity by a vendor or an\nemployee working remotely?"
+  },
+  {
+    "name": "Unusual Windows Service",
+    "description": "A machine learning job detected an unusual Windows service, This can indicate\nexecution of unauthorized services, malware, or persistence mechanisms. In\ncorporate Windows environments, hosts do not generally run many rare or unique\nservices. This job helps detect malware and persistence mechanisms that have\nbeen installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ]
+  },
+  {
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ]
+  },
+  {
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "description": "A machine learning job detected an unusual user context switch, using the\n`runas` command or similar techniques, which can indicate account takeover or\nprivilege escalation using compromised accounts. Privilege elevation using\ntools like `runas` are more commonly used by domain and network administrators\nthan by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ]
+  },
+  {
+    "name": "Unusual Windows Username",
+    "description": "A machine learning job detected activity for a username that is not normally\nactive, which can indicate unauthorized changes, activity by unauthorized users,\nlateral movement, or compromised credentials. In many organizations, new\nusernames are not often created apart from specific types of system activities,\nsuch as creating new accounts for new employees. These user accounts quickly\nbecome active and routine. Events from rarely used usernames can point to\nsuspicious activity. Unusual usernames can also indicate pivoting, where\ncompromised credentials are used to try and move laterally from one host to\nanother.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "note": "Alerts from this rule indicate activity for a Windows user name that is rare\nand unusual. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host? Could\nthis be related to occasional troubleshooting or support activity?\n* Examine the history of user activity. If this user manifested only very\nrecently, it might be a service account for a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may\nprovide indications as to the source of the program or the nature of the tasks\nthat the user is performing.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious."
+  },
+  {
+    "name": "User Account Creation",
+    "description": "Identifies attempts to create new local users. This is sometimes done by\nattackers to increase access to a system or domain."
+  },
+  {
+    "name": "User Added as Owner for Azure Application",
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "User Added as Owner for Azure Service Principal",
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "note": "The Azure Filebeat module must be enabled to use this rule."
+  },
+  {
+    "name": "User Discovery via Whoami",
+    "description": "The `whoami` application was executed on a Linux host. This is often used by\ntools and persistence mechanisms to test for privileged access.",
+    "false_positives": [
+      "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks."
+    ]
+  },
+  {
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "description": "Detects network events that may indicate the use of VNC traffic from the\nInternet. VNC is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ]
+  },
+  {
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "description": "Detects network events that may indicate the use of VNC traffic to the Internet.\nVNC is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ]
+  },
+  {
+    "name": "Virtual Machine Fingerprinting",
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ]
+  },
+  {
+    "name": "Volume Shadow Copy Deletion via VssAdmin",
+    "description": "Identifies use of `vssadmin.exe` for shadow copy deletion on endpoints. This\ncommonly occurs in tandem with ransomware or other destructive attacks."
+  },
+  {
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "description": "Identifies use of `wmic.exe` for shadow copy deletion on endpoints. This\ncommonly occurs in tandem with ransomware or other destructive attacks."
+  },
+  {
+    "name": "WPAD Service Exploit",
+    "description": "Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise."
+  },
+  {
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "description": "A request to a web application server contained no identifying user agent\nstring.",
+    "false_positives": [
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ]
+  },
+  {
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "description": "A POST request to web application returned a 403 response, which indicates the\nweb application declined to process the request because the action requested was\nnot allowed.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ]
+  },
+  {
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "description": "A request to web application returned a 405 response which indicates the web\napplication declined to process the request because the HTTP method is not\nallowed for the resource.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ]
+  },
+  {
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "description": "This is an example of how to detect an unwanted web client user agent. This\nsearch matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool\nfor testing web applications for SQL injection vulnerabilities.",
+    "false_positives": [
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ]
+  },
+  {
+    "name": "Whoami Process Activity",
+    "description": "Identifies use of `whoami.exe` which displays user, group, and privileges\ninformation for the user who is currently logged on to the local system.",
+    "false_positives": [
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ]
+  },
+  {
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (`Crypt32.dll`)\nvalidates Elliptic Curve Cryptography (ECC) certificates. An attacker could\nexploit the vulnerability by using a spoofed code-signing certificate to sign a\nmalicious executable, making it appear the file was from a trusted, legitimate\nsource."
+  },
+  {
+    "name": "Windows Script Executing PowerShell",
+    "description": "Identifies a PowerShell process launched by either `cscript.exe` or\n`wscript.exe`. Observing Windows scripting processes executing a PowerShell\nscript, may be indicative of malicious activity."
+  },
+  {
+    "name": "Windows Suspicious Script Object Execution",
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process."
+  }
+]
\ No newline at end of file
diff --git a/prebuilt-rules-scripts/diff-files/gen-files/updated-text-json-file-7.10.0.json b/prebuilt-rules-scripts/diff-files/gen-files/updated-text-json-file-7.10.0.json
new file mode 100644
index 0000000000..b7cf3f7a60
--- /dev/null
+++ b/prebuilt-rules-scripts/diff-files/gen-files/updated-text-json-file-7.10.0.json
@@ -0,0 +1,14818 @@
+[
+  {
+    "author": [
+      "Nick Jones",
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to access the secrets in AWS Secrets Manager to steal\ncertificates, credentials, or other sensitive material.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be using\nGetSecretString API for the specified SecretId. If a known behavior is causing\nfalse positives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Access Secret in Secrets Manager",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
+    "references": [
+      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for\ndelivery of log data.",
+    "false_positives": [
+      "Trail creations may be made by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Trail creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Created",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in\nan attempt to evade defenses.",
+    "false_positives": [
+      "Trail deletions may be made by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Trail deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Deleted",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for\nthe specified trail. An adversary may suspend trails in an attempt to evade\ndefenses.",
+    "false_positives": [
+      "Suspending the recording of a trail may be done by a system or network\nadministrator. Verify whether the user identity, user agent, and/or hostname\nshould be making changes in your environment. Trail suspensions from unfamiliar\nusers or hosts should be investigated. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Suspended",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of\nlog files.",
+    "false_positives": [
+      "Trail updates may be made by a system or network administrator. Verify whether\nthe user identity, user agent, and/or hostname should be making changes in your\nenvironment. Trail updates from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudTrail Log Updated",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete\nalarms in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Alarm deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudWatch Alarm Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specific AWS CloudWatch log group. When a log\ngroup is deleted, all the archived log events associated with the log group are\nalso permanently deleted.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Log group deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudWatch Log Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently\ndeletes all associated archived log events with the stream.",
+    "false_positives": [
+      "A log stream may be deleted by a system administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Log stream deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may\ntamper with Config rules in order to reduce visibility into the security\nposture of an account and/or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may make changes to the\nConfig rules in order to align with local security policies and\nrequirements. Automation, orchestration, and security tools may also make\nchanges to the Config service, when they are used to automate setup or\nconfiguration of AWS accounts. Other types of user or service contexts do not\ncommonly make changes to this service."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Config Service Tampering",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+    "references": [
+      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an AWS configuration change to stop recording a designated set of\nresources.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Recording changes from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Configuration Recorder Stopped",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption\nin the current region. Disabling default encryption does not change the\nencryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Disabling encryption by unfamiliar users or hosts should\nbe investigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Encryption Disabled",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud\n(EC2). An adversary may delete flow logs in an attempt to evade defenses.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Flow log deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Flow Log Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access\ncontrol list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACLs may be created by a network administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Network ACL creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Network Access Control List Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access\ncontrol list (ACL) or one of its ingress/egress entries.",
+    "false_positives": [
+      "Network ACLs may be deleted by a network administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Network ACL deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are\nsometimes shared by threat actors in order to exfiltrate bulk data from an EC2\nfleet. If the permissions were modified, verify the snapshot was not shared\nwith an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account\nbelonging to the same organization. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Snapshot Activity",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution\nmethods such as RunShellScript, RunPowerShellScript, and alike can be abused by\nan authenticated attacker to install a backdoor or to interact with a\ncompromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Suspicious commands from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Execution via System Manager",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1086",
+            "name": "PowerShell",
+            "reference": "https://attack.mitre.org/techniques/T1086/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion,\nGuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator.\nVerify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Detector deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS GuardDuty Detector Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may\nattempt to modify the AssumeRolePolicy of a misconfigured role in order to gain\nthe privileges of that role.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Policy updates from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Assume Role Policy Update",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+    "references": [
+      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+    ],
+    "risk_score": 21,
+    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access\nManagement (IAM) role. IAM roles are used to delegate access to users or\nservices. An adversary may attempt to enumerate IAM roles in order to determine\nif a role exists before attempting to assume or hijack the discovered role.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+    "references": [
+      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
+      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "",
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deactivation of a specific multi-factor authentication (MFA)\ndevice and removes its association with the user name for which it was\noriginally enabled. In AWS Identity and Access Management (IAM), a device must\nbe deactivated before it can be deleted.",
+    "false_positives": [
+      "A MFA device may be deactivated by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. MFA device deactivations from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Deactivation of MFA Device",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM).\nGroups specify permissions for multiple users. All users in a group\nautomatically have the permissions that are assigned to the group.",
+    "false_positives": [
+      "A group may be created by a system or network administrator. Verify whether the\nuser identity, user agent, and/or hostname should be making changes in your\nenvironment. Group creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Group Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specific AWS Identity and Access Management (IAM)\nresource group. Deleting a resource group does not delete resources that are\nmembers of the group, only the group structure.",
+    "false_positives": [
+      "A resource group may be deleted by a system administrator. Verify whether the\nuser identity, user agent, and/or hostname should be making changes in your\nenvironment. Resource group deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain\nunauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be\nrequesting changes in your environment. Password reset attempts from unfamiliar\nusers should be investigated. If a known behavior is causing false positives,\nit can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Password Recovery Requested",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
+    ],
+    "risk_score": 21,
+    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the addition of a user to a specific group in AWS Identity and\nAccess Management (IAM).",
+    "false_positives": [
+      "Adding users to a specific group may be done by a system or network\nadministrator. Verify whether the user identity, user agent, and/or hostname\nshould be making changes in your environment. User additions from unfamiliar\nusers or hosts should be investigated. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM User Addition to Group",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "cloud.account.id",
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks,\nincluding administrative tasks. Verify whether the IP address, location, and/or\nhostname should be logging in as root in your environment. Unfamiliar root\nlogins should be investigated immediately. If a known behavior is causing false\npositives, it can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Management Console Root Login",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS)\nAurora DB cluster or global database spread across multiple regions.",
+    "false_positives": [
+      "Valid clusters may be created by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Cluster creations from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS RDS Cluster Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora\ndatabase cluster or global database cluster.",
+    "false_positives": [
+      "Clusters may be deleted by a system administrator. Verify whether the user\nidentity, user agent, and/or hostname should be making changes in your\nenvironment. Cluster deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS RDS Cluster Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
+    "false_positives": [
+      "Valid clusters or instances may be stopped by a system administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Cluster or instance stoppages from unfamiliar users or\nhosts should be investigated. If a known behavior is causing false positives,\nit can be excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor\nauthentication (MFA). Amazon AWS best practices indicate that the root user\nshould be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow root-user logins without MFA, however this is not\nconsidered best practice by AWS and increases the risk of compromised\ncredentials."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Root Login Without MFA",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket\nconfiguration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Bucket component deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF)\naccess control list.",
+    "false_positives": [
+      "Firewall ACLs may be deleted by a system or network administrator. Verify\nwhether the user identity, user agent, and/or hostname should be making changes\nin your environment. Web ACL deletions from unfamiliar users or hosts should be\ninvestigated. If a known behavior is causing false positives, it can be\nexcluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS WAF Access Control List Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specific AWS Web Application Firewall (WAF) rule\nor rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator.\nVerify whether the user identity, user agent, and/or hostname should be making\nchanges in your environment. Rule deletions from unfamiliar users or hosts\nshould be investigated. If a known behavior is causing false positives, it can\nbe excluded from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
+    "false_positives": [
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+    ],
+    "index": [
+      "packetbeat-*",
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Abnormally Large DNS Response",
+    "note": "Detection alerts from this rule indicate an attempt was made to exploit\nCVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS\nserver. Here are some possible avenues of investigation:\n\n* Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n* Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n* Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n* Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.",
+    "query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 47,
+    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries can add the `hidden` attribute to files to hide them from the user\nin an attempt to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Adding Hidden File Attribute via Attrib",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
+    "risk_score": 21,
+    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to assign administrator privileges to an Okta group in\norder to assign additional permissions to compromised user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if\nadministrator privileges are regularly assigned to Okta groups in your\norganization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Administrator Privileges Assigned to Okta Group",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:group.privilege.grant",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation of an executable file or files that will be automatically\nrun by Acrobat Reader when it starts.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Adobe Hijack Persistence",
+    "query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
+    "risk_score": 21,
+    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1044",
+            "name": "File System Permissions Weakness",
+            "reference": "https://attack.mitre.org/techniques/T1044/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Adversary Behavior - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
+    "risk_score": 47,
+    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Persistence\n** ID: TA0003\n** Reference URL: https://attack.mitre.org/tactics/TA0003/\n* Technique:\n** Name: Kernel Modules and Extensions\n** ID: T1215\n** Reference URL: https://attack.mitre.org/techniques/T1215/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
+    "name": "Anomalous Kernel Module Activity",
+    "references": [
+      "references"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
+    "false_positives": [
+      "Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_user_compiler",
+    "name": "Anomalous Linux Compiler Activity",
+    "risk_score": 21,
+    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet\nor network. This reduces the detection of false positives since automated\nmaintenance processes usually only run occasionally on a single machine but are\ncommon to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs",
+    "name": "Anomalous Process For a Linux Population",
+    "note": "Alerts from this rule indicate the presence of a Linux process that is rare\nand unusual for all of the monitored Linux hosts for which Auditbeat data is\navailable. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or\nnetwork. This reduces the detection of false positives since automated\nmaintenance processes usually only run occasionally on a single machine but are\ncommon to all or many hosts in a fleet.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs",
+    "name": "Anomalous Process For a Windows Population",
+    "note": "Alerts from this rule indicate the presence of a Windows process that is rare\nand unusual for all of the Windows hosts for which Winlogbeat data is\navailable. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n* Examine the process metadata like the values of the Company, Description and\nProduct fields, which may indicate whether the program is associated with an\nexpected software vendor or package.\n* Examine arguments and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.\n* Consider the same for the parent process. If the parent process is\na legitimate system utility or service, this could be related to software\nupdates or system management. If the parent process is something user-facing\nlike an Office application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual parent-child process relationships that can indicate malware\nexecution or persistence mechanisms. Malicious scripts often call on other\napplications and processes as part of their exploit payload. For example, when a\nmalicious Office document runs scripts as part of an exploit payload, Excel or\nWord may start a script interpreter process, which, in turn, runs a script that\ndownloads and executes malware. Another common scenario is Outlook running an\nunusual process when malware is downloaded in an email. Monitoring and\nidentifying anomalous process relationships is a method of detecting new and\nemerging malware that is not yet recognized by anti-virus scanners.",
+    "false_positives": [
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_process_creation",
+    "name": "Anomalous Windows Process Creation",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may create an Okta API token to maintain access to an\norganization's network while they work to achieve their objectives. An attacker\nmay abuse an API token to execute techniques such as creating user accounts, or\ndisabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Create Okta API Token",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.create",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may deactivate multi-factor authentication (MFA) for an Okta user\naccount in order to weaken the authentication requirements for the account.",
+    "false_positives": [
+      "If the behavior of deactivating MFA for Okta user accounts is expected,\nconsider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Deactivate MFA for Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to deactivate an Okta multi-factor authentication\n(MFA) rule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA\nrules are regularly deactivated in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Deactivate Okta MFA Rule",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to deactivate an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\ndeactivate an Okta multi-factor authentication (MFA) policy in order to weaken\nthe authentication requirements for user accounts.",
+    "false_positives": [
+      "If the behavior of deactivating Okta policies is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Deactivate Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to delete an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\ndelete an Okta multi-factor authentication (MFA) policy in order to weaken the\nauthentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta\npolicies are regularly deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Delete Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to disable ip tables or a firewall service, a technique\nadversaries can use to modify the network traffic hosts are allowed to send and\nreceive.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Disable IPTables or Firewall",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
+    "risk_score": 47,
+    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to disable the `syslog` service, a technique adversaries can\nuse to disrupt event logging and evade detection by security controls.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Disable Syslog Service",
+    "query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
+    "risk_score": 47,
+    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify an Okta multi-factor authentication (MFA)\nrule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA\nrules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Modify Okta MFA Rule",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Okta network zones can be configured to limit or restrict access to a network\nbased on IP addresses or geolocations. An adversary may attempt to modify,\ndelete, or deactivate an Okta network zone in order to remove or weaken an\norganization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if your\norganization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Modify Okta Network Zone",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify an Okta policy in order to weaken an\norganization's security controls. For example, an adversary may attempt to\nmodify an Okta multi-factor authentication (MFA) policy in order to weaken the\nauthentication requirements for user accounts.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta\npolicies are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Modify Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to remove the multi-factor authentication (MFA)\nfactors registered on an Okta user's account in order to register new MFA\nfactors and abuse the account to blend in with normal activity in the victim's\nenvironment.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if the MFA\nfactors for Okta user accounts are regularly reset in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Reset MFA Factors for Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to\nrevoke or delete an Okta API token to disrupt an organization's business\noperations.",
+    "false_positives": [
+      "If the behavior of revoking Okta API tokens is expected, consider adding\nexceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempt to Revoke Okta API Token",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.revoke",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to bypass the Okta multi-factor authentication (MFA)\npolicies configured for an organization in order to obtain unauthorized access\nto an application. This rule detects when an Okta MFA bypass attempt occurs.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempted Bypass of Okta MFA",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 73,
+    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1111",
+            "name": "Two-Factor Authentication Interception",
+            "reference": "https://attack.mitre.org/techniques/T1111/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "from": "now-180m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Attempts to Brute Force an Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.lock",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "okta.actor.id",
+      "value": 3
+    },
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Account Created",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Runbook Created or Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Runbook Deleted",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Automation Webhook Created",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
+    ],
+    "risk_score": 21,
+    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "to": "now-25m",
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Blob Container Access Level Modification",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+    ],
+    "risk_score": 21,
+    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1526",
+            "name": "Cloud Service Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1526/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
+    "false_positives": [
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Command Execution on Virtual Machine",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:Success",
+    "references": [
+      "https://adsecurity.org/?p=4277",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+    ],
+    "risk_score": 47,
+    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Conditional Access Policy Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Diagnostic Settings Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+    ],
+    "risk_score": 47,
+    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
+    "false_positives": [
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+    ],
+    "risk_score": 47,
+    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Event Hub Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
+      "https://azure.microsoft.com/en-in/services/event-hubs/",
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+    ],
+    "risk_score": 47,
+    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
+    "false_positives": [
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure External Guest User Invitation",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
+    ],
+    "risk_score": 21,
+    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
+    "false_positives": [
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Firewall Policy Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
+    "false_positives": [
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
+    ],
+    "risk_score": 73,
+    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
+    "false_positives": [
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Key Vault Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
+    ],
+    "risk_score": 47,
+    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1081",
+            "name": "Credentials in Files",
+            "reference": "https://attack.mitre.org/techniques/T1081/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Network Watcher Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Privilege Identity Management Role Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
+    ],
+    "risk_score": 47,
+    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
+    "false_positives": [
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Resource Group Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Storage Account Key Regenerated",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+    ],
+    "risk_score": 21,
+    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+    "risk_score": 21,
+    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Base64 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
+    "risk_score": 21,
+    "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via `eventvwr.exe.` Attackers\nbypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Bypass UAC via Event Viewer",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+    "risk_score": 21,
+    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1088",
+            "name": "Bypass User Account Control",
+            "reference": "https://attack.mitre.org/techniques/T1088/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by\nattackers in an attempt to evade detection or destroy forensic evidence on a\nsystem.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Clearing Windows Event Logs",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+    "risk_score": 21,
+    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Cobalt Strike Command and Control Beacon",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+    "references": [
+      "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `cmd.exe` making a network connection. Adversaries can abuse\n`cmd.exe` to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Command Prompt Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Compression of Keychain Credentials Directories",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")",
+    "references": [
+      "https://objective-see.com/blog/blog_0x25.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1142",
+            "name": "Keychain",
+            "reference": "https://attack.mitre.org/techniques/T1142/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Connection to External Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n                                  \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n",
+    "risk_score": 47,
+    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Connection to Internal Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n",
+    "risk_score": 47,
+    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Users can mark specific files as hidden simply by adding a `.` as the first\ncharacter in the file or folder name. Adversaries can use this to their\nadvantage to hide files and folders on the system for persistence and defense\nevasion. This rule looks for hidden files or folders in common writable\ndirectories.",
+    "false_positives": [
+      "Certain tools may create hidden temporary files or directories upon\ninstallation or as part of their normal behavior. These events can be filtered\nby the process arguments, username, or process name values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Creation of Hidden Files and Directories",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+    "risk_score": 47,
+    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "note": "Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
+    "query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
+    "references": [
+      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
+      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
+    ],
+    "risk_score": 73,
+    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1145",
+            "name": "Private Keys",
+            "reference": "https://attack.mitre.org/techniques/T1145/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
+    "risk_score": 21,
+    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Dumping - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+    "risk_score": 73,
+    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Dumping - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+    "risk_score": 47,
+    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Manipulation - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+    "risk_score": 73,
+    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Manipulation - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+    "risk_score": 47,
+    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects when an internal network client sends DNS traffic directly to the\nInternet. This is atypical behavior for a managed network, and can be indicative\nof malware, exfiltration, command and control, or, simply, misconfiguration.\nThis DNS activity also impacts your organization's ability to provide enterprise\nmonitoring and logging of DNS, and opens your network to a variety of abuses and\nmalicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "DNS Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+    "references": [
+      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
+      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects unusually large numbers of DNS queries for a single top-level DNS\ndomain, which is often used for DNS tunneling. DNS tunneling can be used for\ncommand-and-control, persistence, or data exfiltration activity. For example,\n`dnscat` tends to generate many DNS questions for a top-level domain as it uses\nthe DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_dns_tunneling",
+    "name": "DNS Tunneling",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the `fsutil.exe` to delete the `USNJRNL` volume. This\ntechnique is used by attackers to eliminate evidence of files created during\npost-exploitation activities.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Delete Volume USN Journal with Fsutil",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+    "risk_score": 21,
+    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the `wbadmin.exe` to delete the backup catalog. Ransomware and\nother malware may do this to prevent system recovery.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
+    "risk_score": 21,
+    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to clear the bash command line history in an attempt to\nevade detection or forensic investigations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Deletion of Bash Command Line History",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+    "risk_score": 47,
+    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1146",
+            "name": "Clear Command History",
+            "reference": "https://attack.mitre.org/techniques/T1146/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unexpected processes making network connections over port 445.\nWindows File Sharing is typically implemented over Server Message Block (SMB),\nwhich communicates between hosts using port 445. When legitimate, these network\nconnections are established by the kernel. Processes making 445/tcp connections\nmay be port scanners, exploits, or suspicious user-level processes moving\nlaterally.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Direct Outbound SMB Connection",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the `netsh.exe` to disable or weaken the local firewall.\nAttackers will use this command line tool to disable the firewall during\ntroubleshooting or to enable network mobility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+    "risk_score": 47,
+    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of `certutil.exe` to encode or decode data. CertUtil is a\nnative Windows component which is part of Certificate Services. CertUtil is\noften abused by attackers to encode or decode base64 data for stealthier command\nand control or exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Encoding or Decoding Files via CertUtil",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
+    "risk_score": 47,
+    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "enabled": true,
+    "exceptions_list": [
+      {
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
+      }
+    ],
+    "from": "now-10m",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 10000,
+    "name": "Endpoint Security",
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to enumerate information about a kernel module. Loadable\nKernel Modules (LKMs) are pieces of code that can be loaded and unloaded into\nthe kernel upon demand. They extend the functionality of the kernel without the\nneed to reboot the system.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Enumeration of Kernel Modules",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
+    "risk_score": 47,
+    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          },
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          },
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
+    "risk_score": 21,
+    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          },
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          },
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe",
+    "risk_score": 73,
+    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "`RegSvcs.exe` and `RegAsm.exe` are Windows command line utilities that are used\nto register .NET Component Object Model (COM) assemblies. Adversaries can use\n`RegSvcs.exe` and `RegAsm.exe` to proxy execution of code through a trusted\nWindows utility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Execution via Regsvcs/Regasm",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)",
+    "risk_score": 21,
+    "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1121",
+            "name": "Regsvcs/Regasm",
+            "reference": "https://attack.mitre.org/techniques/T1121/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1121",
+            "name": "Regsvcs/Regasm",
+            "reference": "https://attack.mitre.org/techniques/T1121/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Exploit - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+    "risk_score": 73,
+    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Exploit - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+    "risk_score": 47,
+    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert for each external alert written to the configured\nsecuritySolution:defaultIndex. Enabling this rule allows you to immediately\nbegin investigating external alerts in the app.",
+    "index": [
+      "apm-*-transaction*",
+      "auditbeat-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 10000,
+    "name": "External Alerts",
+    "query": "event.kind:alert and not event.module:(endgame or endpoint)",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
+    ],
+    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Windows",
+      "APM",
+      "macOS",
+      "Linux"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may indicate the use of FTP network connections to the\nInternet. The File Transfer Protocol (FTP) has been around in its current form\nsince the 1980s. It can be a common and efficient procedure on your network to\nsend and receive files. Because of this, adversaries will also often use this\nprotocol to exfiltrate data from your network or download new tools.\nAdditionally, FTP is a plain-text protocol which, if intercepted, may expose\nusernames and passwords. FTP activity involving servers subject to regulations\nor compliance standards may be unauthorized.",
+    "false_positives": [
+      "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "FTP (File Transfer Protocol) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file deletions using the `shred` command. Malware or other files\ndropped or created on a system by an adversary may leave traces behind as to\nwhat was done within a network and how. Adversaries may remove these files over\nthe course of an intrusion to keep their footprint low or remove them at the\nend as part of the post-intrusion cleanup process.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "File Deletion via Shred",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
+    "risk_score": 21,
+    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file permission modifications in common writable directories by a\nnon-root user. Adversaries often drop files or payloads into a writable\ndirectory, and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "File Permission Modification in Writable Directory",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
+    "risk_score": 21,
+    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
+    "false_positives": [
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Firewall Rule Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.insert",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 21,
+    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Firewall Rule Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.delete",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Firewall Rule Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.patch",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
+    "risk_score": 47,
+    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP IAM Custom Role Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
+    "false_positives": [
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP IAM Role Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-roles"
+    ],
+    "risk_score": 21,
+    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP IAM Service Account Key Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Logging Bucket Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/buckets",
+      "https://cloud.google.com/logging/docs/storage"
+    ],
+    "risk_score": 47,
+    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Logging Sink Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/export"
+    ],
+    "risk_score": 47,
+    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Logging Sink Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+    ],
+    "risk_score": 21,
+    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Subscription Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Subscription Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Topic Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/admin"
+    ],
+    "risk_score": 21,
+    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Pub/Sub Topic Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 21,
+    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Disabled",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
+    "false_positives": [
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Service Account Key Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+    ],
+    "risk_score": 21,
+    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
+    "false_positives": [
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Storage Bucket Configuration Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Storage Bucket Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.delete",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
+    "false_positives": [
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Storage Bucket Permissions Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.setIamPermissions and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
+    ],
+    "risk_score": 47,
+    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
+    "false_positives": [
+      "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Virtual Private Cloud Network Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.networks.delete and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/vpc/docs/vpc"
+    ],
+    "risk_score": 47,
+    "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 21,
+    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.routes.delete and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 47,
+    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Halfbaked Command and Control Beacon",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://attack.mitre.org/software/S0151/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to encode and decode data, a technique adversaries can\nuse to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Hex Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)",
+    "risk_score": 21,
+    "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "okta.actor.id",
+      "value": 5
+    },
+    "type": "threshold",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Hosts File Modified",
+    "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.",
+    "query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
+    "references": [
+      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Impact"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has\nthe ability to construct network packets for a wide variety of network security\ntesting applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Hping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
+    "references": [
+      "https://en.wikipedia.org/wiki/Hping"
+    ],
+    "risk_score": 73,
+    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "IIS HTTP Logging Disabled",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
+    "risk_score": 73,
+    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a\nVPN technology that allows one system to talk to another using encrypted\ntunnels. NAT Traversal enables these tunnels to communicate over the Internet\nwhere one of the sides is behind a NAT router gateway. This may be common on\nyour network, but this technique is also used by threat actors to avoid\ndetection.",
+    "false_positives": [
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "IPSEC NAT Traversal Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+    "risk_score": 21,
+    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that use common ports for Internet Relay Chat (IRC) to the\nInternet. IRC is a common protocol that can be used for chat and file transfers.\nThis protocol is also a good candidate for remote control of malware and data\ntransfers to and from a network.",
+    "false_positives": [
+      "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
+    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
+    "references": [
+      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
+    ],
+    "risk_score": 47,
+    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "InstallUtil Process Making Network Connections",
+    "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
+    "risk_score": 21,
+    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1118",
+            "name": "InstallUtil",
+            "reference": "https://attack.mitre.org/techniques/T1118/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Installation of Custom Shim Databases",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n     not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n     wildcard(registry.path, \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\")]\n",
+    "risk_score": 21,
+    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (`tty`) is spawned via Perl. Attackers may upgrade a\nsimple reverse shell to a fully interactive `tty` after obtaining initial\naccess to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Interactive Terminal Spawned via Perl",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
+    "risk_score": 73,
+    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (`tty`) is spawned via Python. Attackers may upgrade\na simple reverse shell to a fully interactive `tty` after obtaining initial\naccess to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Interactive Terminal Spawned via Python",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+    "risk_score": 73,
+    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Kerberos Cached Credentials Dumping",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache",
+    "references": [
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
+      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to remove a kernel module. Kernel modules are pieces of\ncode that can be loaded and unloaded into the kernel upon demand. They extend\nthe functionality of the kernel without the need to reboot the system.",
+    "false_positives": [
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Kernel Module Removal",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
+    "references": [
+      "http://man7.org/linux/man-pages/man8/modprobe.8.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task can be used by an adversary to establish persistence, move\nlaterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Local Scheduled Task Commands",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+    "risk_score": 21,
+    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `sc.exe` to create, modify, or start services on remote hosts.\nThis could be indicative of adversary lateral movement but will be noisy if\ncommonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Local Service Commands",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
+    "risk_score": 21,
+    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Malware - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+    "risk_score": 99,
+    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Malware - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+    "risk_score": 73,
+    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically\nlinked libraries) responsible for Windows credential management. This technique\nis sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+    "risk_score": 73,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script\nor the Visual C# Command Line Compiler. This technique is sometimes used to\ndeploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1500",
+            "name": "Compile After Delivery",
+            "reference": "https://attack.mitre.org/techniques/T1500/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or\nthe Windows command interpreter. This behavior is unusual and is sometimes used\nby malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or\nthe WMI (Windows Management Instrumentation) subsystem. This behavior is unusual\nand is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started by a System Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+    "risk_score": 47,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or\nWord. This is unusual behavior for the Build Engine and could have been caused\nby an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being\nrenamed. This is uncommon behavior and may indicate an attempt to run MSBuild\nunnoticed or undetected.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or winlog.event_data.OriginalFileName:aspnet_regiis.exe) and process.args:(connectionStrings and \"-pdf\")",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    ],
+    "risk_score": 73,
+    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "query": "event.category:process AND event.type:(start OR process_started) AND (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\\/[tT][eE][xX][tT]\\:[pP][aA][sS][sS][wW][oO][rR][dD]/)",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
+    ],
+    "risk_score": 73,
+    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the password log file from the default Mimikatz memssp module.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Mimikatz Memssp Log File Detected",
+    "query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe",
+    "risk_score": 73,
+    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Linux `mknod` program is sometimes used in the command payload of a remote\ncommand injection (RCI) and other exploits. It is used to export a command shell\nwhen the traditional version of `netcat` is not available to the payload.",
+    "false_positives": [
+      "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Mknod Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:mknod",
+    "references": [
+      "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/"
+    ],
+    "risk_score": 21,
+    "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `bcdedit.exe` to delete boot configuration data. Malware and\nattackers sometimes use this tactic as a destructive technique.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Modification of Boot Configuration",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+    "risk_score": 21,
+    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify or delete the sign on policy for an Okta\napplication in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on\npolicies for Okta applications are regularly modified or deleted in your\norganization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `MsBuild.exe` making outbound network connections. This may indicate\nadversarial activity as MsBuild is often leveraged by adversaries to execute\ncode and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "MsBuild Making Network Connections",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Mshta Making Network Connections",
+    "query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1170",
+            "name": "Mshta",
+            "reference": "https://attack.mitre.org/techniques/T1170/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:Success",
+    "risk_score": 47,
+    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the SYSTEM account using the Net utility. The Net utility is a\ncomponent of the Windows operating system. It is used in command line operations\nfor control of users, groups, services, and network connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Net command via SYSTEM account",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+    "risk_score": 21,
+    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A `netcat` process is engaging in network activity on a Linux host. Netcat is\noften used as a persistence mechanism by exporting a reverse shell or by serving\na shell on a listening port. Netcat is also sometimes used for data\nexfiltration.",
+    "false_positives": [
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Netcat Network Activity",
+    "query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
+    "references": [
+      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+      "https://en.wikipedia.org/wiki/Netcat"
+    ],
+    "risk_score": 47,
+    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `certutil.exe` making a network connection. Adversaries could abuse\n`certutil.exe` to download a certificate or malware from a remote URL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Certutil",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft\nHTML Help system. Adversaries may conceal malicious code in a CHM file and\ndeliver it to a victim for execution. CHM content is loaded by the HTML Help\nexecutable program (`hh.exe`).",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Compiled HTML File",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies `msxsl.exe` making a network connection. This may indicate\nadversarial activity as `msxsl.exe` is often leveraged by adversaries to\nexecute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via MsXsl",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
+    "false_positives": [
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Registration Utility",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1117",
+            "name": "Regsvr32",
+            "reference": "https://attack.mitre.org/techniques/T1117/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems\nprotected by digital signature validation. Adversaries may use these binaries to\n'live off the land' and execute malicious files that could bypass application\nallowlists and signature validation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Signed Binary",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or\npacket sniffing tool that can be used to capture insecure credentials or data in\nmotion. Sniffing can also be used to discover details of network services as a\nprelude to lateral movement or defense evasion.",
+    "false_positives": [
+      "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Network Sniffing via Tcpdump",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump",
+    "risk_score": 21,
+    "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Credential Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and\nsecurity testing. It can map and discover networks, and identify listening\nservices and operating systems. It is sometimes used to gather information in\nsupport of exploitation, execution or lateral movement.",
+    "false_positives": [
+      "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Nmap Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nmap",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 21,
+    "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the\nability to construct raw packets for a wide variety of security testing\napplications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Nping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 47,
+    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
+    "false_positives": [
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
+          }
+        ]
+      }
+    ],
+    "threshold": {
+      "field": "source.ip",
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may indicate use of a PPTP VPN connection. Some threat\nactors use these types of connections to tunnel their traffic while avoiding\ndetection.",
+    "false_positives": [
+      "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "PPTP (Point to Point Tunneling Protocol) Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723",
+    "risk_score": 21,
+    "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Permission Theft - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+    "risk_score": 73,
+    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Permission Theft - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+    "risk_score": 47,
+    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies loadable kernel module errors, which are often indicative of\npotential persistence attempts.",
+    "false_positives": [
+      "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Persistence via Kernel Module Modification",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)",
+    "references": [
+      "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM"
+    ],
+    "risk_score": 21,
+    "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)",
+    "references": [
+      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
+    ],
+    "risk_score": 73,
+    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)",
+    "references": [
+      "https://github.com/irsl/CVE-2020-1313"
+    ],
+    "risk_score": 73,
+    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Possible Consent Grant Attack via Azure-Registered Application",
+    "note": "- The Azure Filebeat module must be enabled to use this rule.\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" ) and event.outcome:success",
+    "references": [
+      "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide"
+    ],
+    "risk_score": 47,
+    "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
+        },
+        "technique": [
+          {
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
+          },
+          {
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to disrupt an organization's business operations by\nperforming a denial of service (DoS) attack against its Okta infrastructure.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Possible Okta DoS Attack",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1498",
+            "name": "Network Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1498/"
+          },
+          {
+            "id": "T1499",
+            "name": "Endpoint Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1499/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Application Shim was created to allow for backward compatibility of software\nas the operating system codebase changes over time. This Windows functionality\nhas been abused by attackers to stealthily gain persistence and arbitrary code\nexecution in legitimate Windows processes.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Application Shimming via Sdbinst",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
+    "risk_score": 21,
+    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
+    "risk_score": 73,
+    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over\nthe DNS protocol to circumvent firewalls, network security groups, and network\naccess lists while evading detection.",
+    "false_positives": [
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential DNS Tunneling via Iodine",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
+    "references": [
+      "https://code.kryo.se/iodine/"
+    ],
+    "risk_score": 73,
+    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux),\nwhich is a Linux kernel security feature that supports access control policies.\nAdversaries may disable security tools to avoid possible detection of their\ntools and activities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Disabling of SELinux",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+    "risk_score": 47,
+    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by\nadversaries to unload a filter driver and evade defenses.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Evasion via Filter Manager",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe",
+    "risk_score": 21,
+    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows contains accessibility features that may be launched with a key\ncombination before a user has logged in. An adversary can modify the way these\nprograms are launched to get a command prompt or backdoor without logging in to\nthe system.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Modification of Accessibility Binaries",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+    "risk_score": 21,
+    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1015",
+            "name": "Accessibility Features",
+            "reference": "https://attack.mitre.org/techniques/T1015/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1015",
+            "name": "Accessibility Features",
+            "reference": "https://attack.mitre.org/techniques/T1015/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "note": "Verify process details such as command line and hash to confirm this activity legitimacy.",
+    "query": "event.category:file AND event.type:change AND file.name:/.+A+\\.AAA/",
+    "risk_score": 21,
+    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a\nvulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Shell via Web Server",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+    "references": [
+      "https://pentestlab.blog/tag/web-shell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1100",
+            "name": "Web Shell",
+            "reference": "https://attack.mitre.org/techniques/T1100/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 6
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with `cmd.exe`\ndescending from `PowerShell.exe`.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "PowerShell spawning Cmd",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe",
+    "risk_score": 21,
+    "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1086",
+            "name": "PowerShell",
+            "reference": "https://attack.mitre.org/techniques/T1086/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (`.chm`) are commonly distributed as part of the Microsoft\nHTML Help system. Adversaries may conceal malicious code in a CHM file and\ndeliver it to a victim for execution. CHM content is loaded by the HTML Help\nexecutable program (`hh.exe`).",
+    "false_positives": [
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Activity via Compiled HTML File",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
+    "risk_score": 21,
+    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to get information about running processes on a system.",
+    "false_positives": [
+      "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Discovery via Tasklist",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:tasklist.exe",
+    "risk_score": 21,
+    "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+    "risk_score": 73,
+    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+    "risk_score": 47,
+    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another\nprocess. This technique is sometimes used to evade detection or elevate\nprivileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection by the Microsoft Build Engine",
+    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed.",
+    "false_positives": [
+      "Legit Application Crash with rare Werfault commandline value"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Potentially Masquerading as WerFault",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:WerFault.exe and not process.args:(((\"-u\" or \"-pss\") and \"-p\" and \"-s\") or (\"/h\" and \"/shared\") or (\"-k\" and \"-lcq\"))",
+    "references": [
+      "https://twitter.com/SBousseaden/status/1235533224337641473",
+      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may describe network events of proxy use to the Internet. It\nincludes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments\nwill use an internal IP address for a proxy server. It can also be used to\ncircumvent network controls and detection mechanisms.",
+    "false_positives": [
+      "Some proxied applications may use these ports but this usually occurs in local\ntraffic using private IPs which this rule does not match. Proxies are widely\nused as a security technology but in enterprise environments this is usually\nlocal traffic which this rule does not match. If desired, internet proxy\nservices using these ports can be added to allowlists. Some screen recording\napplications may use these ports.\n\nProxy port activity involving an unusual source or destination may be more\nsuspicious. Some cloud environments may use this port when VPNs or direct\nconnects are not in use and cloud instances are accessed across the Internet.\nBecause these ports are in the ephemeral range, this rule may false under\ncertain conditions such as when a NATed web server replies to a client which has\nused a port in the range by coincidence. In this case, such servers can be\nexcluded if desired."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Proxy Port Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the SysInternals tool `PsExec.exe` making a network\nconnection. This could be an indication of lateral movement.",
+    "false_positives": [
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "PsExec Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Public IP Reconnaissance Activity",
+    "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.",
+    "query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer",
+    "references": [
+      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+    ],
+    "risk_score": 21,
+    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RDP traffic from the\nInternet. RDP is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RDP traffic to the Internet.\nRDP is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RDP (Remote Desktop Protocol) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RPC traffic from the\nInternet. RPC is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 73,
+    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of RPC traffic to the Internet.\nRPC is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 73,
+    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Ransomware - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+    "risk_score": 99,
+    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Ransomware - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+    "risk_score": 73,
+    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These\ncan be byproducts of attempted or successful persistence, privilege escalation,\ndefense evasion, discovery, lateral movement, or collection.",
+    "false_positives": [
+      "Rare and unusual errors may indicate an impending service failure state. Rare\nand unusual user error activity can also be due to manual troubleshooting or\nreconfiguration attempts by insufficiently privileged users, bugs in cloud\nautomation scripts or workflows, or changes to IAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_error_code",
+    "name": "Rare AWS Error Code",
+    "note": "Alerts from this rule indicate a rare and unusual error code that is\nassociated with the response to an AWS API command or method call. Here are\nsome possible avenues of investigation:\n\n* Examine the history of the error. Has it manifested before? If the error,\nwhich is visible in the `aws.cloudtrail.error_code field`, manifested only very\nrecently, it might be related to recent changes in an automation module or\nscript.\n* Examine the request parameters. These may provide indications as to the\nnature of the task being performed when the error occurred. Is the error\nrelated to unsuccessful attempts to enumerate or access objects, data, or\nsecrets? If so, this can sometimes be a byproduct of discovery, privilege\nescalation, or lateral movement attempts.\n* Consider the user as identified in the `user.name` field. Is this activity\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote File Copy via TeamViewer",
+    "query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)",
+    "references": [
+      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
+    "references": [
+      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
+    ],
+    "risk_score": 47,
+    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote File Download via MpCmdRun",
+    "note": "Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or winlog.event_data.OriginalFileName:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
+    "references": [
+      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
+    ],
+    "risk_score": 47,
+    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-f\" and \"-setremotelogin\" and on)",
+    "references": [
+      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+      "https://ss64.com/osx/systemsetup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "query": "event.category:process AND event.type:(start OR process_started) AND (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/ OR winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/) AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\\d{1,3}\\.[eE][xX][eE]/",
+    "risk_score": 47,
+    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
+    "false_positives": [
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://www.justice.gov/opa/press-release/file/1084361/download"
+    ],
+    "risk_score": 47,
+    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of Windows file sharing (also\ncalled SMB or CIFS) traffic to the Internet. SMB is commonly used within\nnetworks to share files, printers, and other system resources amongst trusted\nsystems. It should almost never be directly exposed to the Internet, as it is\nfrequently targeted and exploited by threat actors as an initial access or back-\ndoor vector or for data exfiltration.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 73,
+    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may indicate use of SMTP on TCP port 26. This port is\ncommonly used by several popular mail transfer agents to deconflict with the\ndefault SMTP port 25. This port has also been used by a malware family called\nBadPatch for command and control of Windows systems.",
+    "false_positives": [
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SMTP on Port 26/TCP",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+    "references": [
+      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
+      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
+    ],
+    "risk_score": 21,
+    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may describe SMTP traffic from internal hosts to a host\nacross the Internet. In an enterprise network, there is typically a dedicated\ninternal host that performs this function. It is also frequently abused by\nthreat actors for command and control, or data exfiltration.",
+    "false_positives": [
+      "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SMTP to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and\nPostgresql) across the Internet. Databases should almost never be directly\nexposed to the Internet, as they are frequently targeted by threat actors to\ngain initial access to network resources.",
+    "false_positives": [
+      "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SQL Traffic to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of SSH traffic from the\nInternet. SSH is commonly used by system administrators to remotely control a\nsystem using the command line shell. If it is exposed to the Internet, it should\nbe done with strong security controls as it is frequently targeted and exploited\nby threat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SSH (Secure Shell) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 47,
+    "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of SSH traffic to the Internet.\nSSH is commonly used by system administrators to remotely control a system using\nthe command line shell. If it is exposed to the Internet, it should be done with\nstrong security controls as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "SSH (Secure Shell) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Service Command Lateral Movement",
+    "query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n                               /* uncomment once in winlogbeat */\n     (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n                                                   /* case insensitive */\n      wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and\n      (process.args : \"create\" or\n       process.args : \"config\" or\n       process.args : \"failure\" or\n       process.args : \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+    "risk_score": 21,
+    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          },
+          {
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
+          },
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Setgid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
+    "risk_score": 21,
+    "rule_id": "3a86e085-094c-412d-97ff-2439731e59cb",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Setuid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
+    "risk_score": 21,
+    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A Socat process is running on a Linux host. Socat is often used as a persistence\nmechanism by exporting a reverse shell, or by serving a shell on a listening\nport. Socat is also sometimes used for lateral movement.",
+    "false_positives": [
+      "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Socat Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V",
+    "references": [
+      "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a significant spike in the rate of a particular\nerror in the CloudTrail messages. Spikes in error messages may accompany\nattempts at privilege escalation, lateral movement, or discovery.",
+    "false_positives": [
+      "Spikes in error message activity can also be due to bugs in cloud automation\nscripts or workflows, changes to cloud automation scripts or workflows,\nadoption of new services, changes in the way services are used, or changes to\nIAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "high_distinct_count_error_message",
+    "name": "Spike in AWS Error Messages",
+    "note": "Alerts from this rule indicate a large spike in the number of CloudTrail log\nmessages that contain a particular error message. The error message in question\nis associated with the response to an AWS API command or method call. Here are\nsome possible avenues of investigation:\n\n* Examine the history of the error. Has it manifested before? If the error,\nwhich is visible in the `aws.cloudtrail.error_message` field, manifested only\nvery recently, it might be related to recent changes in an automation module or\nscript.\n* Examine the request parameters. These may provide indications as to the\nnature of the task being performed when the error occurred. Is the error\nrelated to unsuccessful attempts to enumerate or access objects, data or\nsecrets? If so, this can sometimes be a byproduct of discovery, privilege\nescalation or lateral movement attempts.\n* Consider the user as identified by the `user.name` field. Is this activity\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Strace runs in a privileged context and can be used to escape restrictive\nenvironments by instantiating a shell in order to elevate privileges or move\nlaterally.",
+    "false_positives": [
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Strace Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+    "references": [
+      "https://en.wikipedia.org/wiki/Strace"
+    ],
+    "risk_score": 21,
+    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Sudoers File Modification",
+    "query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+    "risk_score": 21,
+    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1169",
+            "name": "Sudo",
+            "reference": "https://attack.mitre.org/techniques/T1169/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious .NET code execution. connections.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious .NET Code Compilation",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(csc.exe or vbc.exe) and process.parent.name:(wscript.exe or mshta.exe or wscript.exe or wmic.exe or svchost.exe or rundll32.exe or cmstp.exe or regsvr32.exe)",
+    "risk_score": 47,
+    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when a user reports suspicious activity for their Okta\naccount. These events should be investigated, as they can help security teams\nidentify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Activity Reported by Okta User",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Endpoint Security Parent Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(esensor.exe or \"elastic-endpoint.exe\" or \"elastic-agent.exe\") and not process.parent.executable:\"C:\\Windows\\System32\\services.exe\"",
+    "risk_score": 47,
+    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office\napplications (Word, PowerPoint, Excel). These child processes are often launched\nduring exploitation of Office applications or from documents with malicious\nmacros.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious MS Office Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+    "risk_score": 21,
+    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child\nprocesses are often associated with spear phishing activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious MS Outlook Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+    "risk_score": 21,
+    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Managed Code Hosting Process",
+    "query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)",
+    "references": [
+      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of PDF reader applications. These child\nprocesses are often launched via exploitation of PDF applications or social\nengineering.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PDF Reader Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
+    "risk_score": 21,
+    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a PowerShell script with unusual data\ncharacteristics, such as obfuscation, that may be a characteristic of malicious\nPowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_script",
+    "name": "Suspicious Powershell Script",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
+    "query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)",
+    "references": [
+      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
+    ],
+    "risk_score": 74,
+    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)",
+    "references": [
+      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
+      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    ],
+    "risk_score": 74,
+    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe)",
+    "risk_score": 47,
+    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Process from Conhost",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe",
+    "references": [
+      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Suspicious WMIC XSL Script Execution",
+    "query": "sequence by process.entity_id with maxspan=2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n   wildcard(process.args, \"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not wildcard(process.command_line, \"* /format:table *\")]\n[library where event.type == \"start\" and file.name in (\"jscript.dll\", \"vbscript.dll\")]\n",
+    "risk_score": 21,
+    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows Error Reporting Debugger"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious WerFault Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)",
+    "references": [
+      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
+    "false_positives": [
+      "New Zoom Executable"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious Zoom Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:Zoom.exe and not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)",
+    "risk_score": 47,
+    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent-child process relationship with cmd.exe\ndescending from `svchost.exe`.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Svchost spawning Cmd",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+    "risk_score": 21,
+    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege\nescalation opportunity. Malware or penetration testers may run a shell as a\nservice to gain SYSTEM permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "System Shells via Services",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+    "risk_score": 47,
+    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you\nare running software like this on the Internet, you should consider placing it\nbehind a reverse proxy.",
+    "false_positives": [
+      "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "TCP Port 8000 Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of Telnet traffic. Telnet is\ncommonly used by system administrators to remotely control older or embedded\nsystems using the command line shell. It should almost never be directly exposed\nto the Internet, as it is frequently targeted and exploited by threat actors as\nan initial access or back-door vector. As a plain-text protocol, it may also\nexpose usernames and passwords to anyone capable of observing the traffic.",
+    "false_positives": [
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Telnet Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+    "risk_score": 47,
+    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when Okta ThreatInsight identifies a request from a malicious\nIP address. Investigating requests from IP addresses identified as malicious by\nOkta ThreatInsight can help security teams monitor for and respond to\ncredential-based attacks against their organization, such as brute-force and\npassword-spraying attacks.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Threat Detected by Okta ThreatInsight",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:security.threat.detected",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of Tor traffic to the Internet.\nTor is a network protocol that sends traffic through a series of encrypted\ntunnels used to conceal a user's location and usage. Tor may be used by threat\nactors as an alternate communication pathway to conceal the actor's identity and\navoid detection.",
+    "false_positives": [
+      "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Tor Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1188",
+            "name": "Multi-hop Proxy",
+            "reference": "https://attack.mitre.org/techniques/T1188/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies possibly suspicious activity using a trusted Windows developer\nutility program.",
+    "false_positives": [
+      "These programs may be used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Trusted Developer Application Usage",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(/autoclean or /AUTOCLEAN) and process.parent.name:svchost.exe and not process.executable:(\"C:\\Windows\\System32\\cleanmgr.exe\" or \"C:\\Windows\\SysWOW64\\cleanmgr.exe\")",
+    "risk_score": 47,
+    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1088",
+            "name": "Bypass User Account Control",
+            "reference": "https://attack.mitre.org/techniques/T1088/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an AWS API command that, while not inherently\nsuspicious or abnormal, is being made by a user that does not normally use the\ncommand. This can be the result of compromised credentials or keys as someone\nuses a valid account to persist, move laterally, or exfiltrate data.",
+    "false_positives": [
+      "New or unusual user command activity can be due to manual troubleshooting or\nreconfiguration, changes in cloud automation scripts or workflows, adoption of\nnew services, or changes in the way services are used."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_method_for_a_username",
+    "name": "Unusual AWS Command for a User",
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the calling IAM user. Here are some possible avenues of\ninvestigation:\n\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action field`, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Child Process from a System Virtual Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")",
+    "risk_score": 73,
+    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Child Process of dns.exe",
+    "note": "Detection alerts from this rule indicate potential suspicious child processes\nspawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are\nsome possible avenues of investigation:\n\n* Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n* Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n* If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n* Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
+    "query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Child Processes of RunDLL32",
+    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n                                    /* uncomment once in winlogbeat */\n     (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n     process.args_count < 2\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1085",
+            "name": "Rundll32",
+            "reference": "https://attack.mitre.org/techniques/T1085/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently\nsuspicious or abnormal, is sourcing from a geolocation (city) that is unusual\nfor the command. This can be the result of compromised credentials or keys\nbeing used by a threat actor in a different location from the authorized users.",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual\ntroubleshooting or reconfiguration, changes in cloud automation scripts or\nworkflows, adoption of new services, expansion into new regions, increased\nadoption of work from home policies, or users who travel frequently."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_method_for_a_city",
+    "name": "Unusual City For an AWS Command",
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the geolocation of the source IP address. Here are some\npossible avenues of investigation:\n\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action` field, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently\nsuspicious or abnormal, is sourcing from a geolocation (country) that is\nunusual for the command. This can be the result of compromised credentials or\nkeys being used by a threat actor in a different location from the authorized\nusers.",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual\ntroubleshooting or reconfiguration, changes in cloud automation scripts or\nworkflows, adoption of new services, expansion into new regions, increased\nadoption of work from home policies, or users who travel frequently."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_method_for_a_country",
+    "name": "Unusual Country For an AWS Command",
+    "note": "Alerts from this rule indicate an AWS API command or method call that is rare\nand unusual for the geolocation of the source IP address. Here are some\npossible avenues of investigation:\n\n* Consider the source IP address and geolocation for the calling user who\nissued the command. Do they look normal for the calling user? If the source is\nan EC2 IP address, is it associated with an EC2 instance in one of your\naccounts or could it be sourcing from an EC2 instance not under your control?\nIf it is an authorized EC2 instance, is the activity associated with normal\nbehavior for the instance role or roles? Are there any other alerts or signs of\nsuspicious activity involving this instance?\n* Consider the user as identified by the `user.name` field. Is this command\npart of an expected workflow for the user context? Examine the user identity in\nthe `aws.cloudtrail.user_identity.arn` field and the access key id in the\n`aws.cloudtrail.user_identity.access_key_id` field, which can help identify the\nprecise user context. The user agent details in the `user_agent.original` field\nmay also indicate what type of client made the request.\n* Consider the time of day. If the user is a human, not a program or script,\ndid the activity take place during normal working hours?\n* Examine the history of the command. If the command, which is visible in the\n`event.action` field, manifested only very recently, it might be part of a new\nautomation module or script. If its usage rate is consistent - for example, if\nit appears in small numbers on a weekly or monthly basis - it might be part of\na housekeeping or maintenance process.\n* Examine the request parameters. These may provide indications as to the\nsource of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual DNS query that indicates\nnetwork activity with unusual DNS domains. This can be due to initial access,\npersistence, command-and-control, or exfiltration activity. For example, when a\nuser clicks on a link in a phishing email or opens a malicious document, a\nrequest may be sent to download and run a payload from an uncommon domain. When\nmalware is already running, it may send requests to an uncommon DNS domain the\nmalware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_dns_question",
+    "name": "Unusual DNS Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)",
+    "risk_score": 73,
+    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1211",
+            "name": "Exploitation for Defense Evasion",
+            "reference": "https://attack.mitre.org/techniques/T1211/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual File Modification by dns.exe",
+    "note": "Detection alerts from this rule indicate potential unusual/abnormal file writes\nfrom the DNS Server service process (`dns.exe`) after exploitation from\nCVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of\ninvestigation:\n\n* Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. \n* Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
+    "query": "event.category:file and process.name:dns.exe and not file.name:dns.log",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Linux processes that do not usually use the network but have\nunexpected network activity, which can indicate command-and-control, lateral\nmovement, persistence, or data exfiltration activity. A process with unusual\nnetwork activity can denote process exploitation or injection, where the process\nis used to run persistence mechanisms that allow a malicious actor remote access\nor control of the host, data exfiltration, and execution of unauthorized network\napplications.",
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+    "name": "Unusual Linux Network Activity",
+    "note": "Alerts from this rule indicate the presence of network activity from a Linux\nprocess for which network activity is rare and unusual.  Here are some possible\navenues of investigation:\n\n* Consider the IP addresses and ports. Are these used by normal but infrequent\nnetwork workflows? Are they expected or unexpected?\n* If the destination IP address is remote or external, does it associate with\nan expected domain, organization or geography?\n+\nNOTE: Avoid interacting directly with suspected malicious IP addresses. \n\n* Consider the user as identified by the username field. Is this network\nactivity part of an expected workflow for the user who ran the program?\n* Examine the history of execution. If this process manifested only\nvery recently, it might be part of a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business or maintenance process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Network Connections Discovery\n** ID: T1049\n** Reference URL: https://attack.mitre.org/techniques/T1049/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_network_connection_discovery",
+    "name": "Unusual Linux Network Connection Discovery",
+    "risk_score": 21,
+    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1049",
+            "name": "System Network Connections Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1049/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual destination port activity that can indicate command-and-\ncontrol, persistence mechanism, or data exfiltration activity. Rarely used\ndestination port activity is generally unusual in Linux fleets, and can indicate\nunauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs",
+    "name": "Unusual Linux Network Port Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual listening ports on Linux instances that can indicate\nexecution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_service",
+    "name": "Unusual Linux Network Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_metadata_process",
+    "name": "Unusual Linux Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: Process Discovery\n** ID: T1057\n** Reference URL: https://attack.mitre.org/techniques/T1057/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_process_discovery",
+    "name": "Unusual Linux Process Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Information Discovery\n** ID: T1082\n** Reference URL: https://attack.mitre.org/techniques/T1082/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_information_discovery",
+    "name": "Unusual Linux System Information Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Network Configuration Discovery\n** ID: T1016\n** Reference URL: https://attack.mitre.org/techniques/T1016/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_network_configuration_discovery",
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "risk_score": 21,
+    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Discovery\n** ID: TA0007\n** Reference URL: https://attack.mitre.org/tactics/TA0007/\n* Technique:\n** Name: System Owner/User Discovery\n** ID: T1033\n** Reference URL: https://attack.mitre.org/techniques/T1033/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_user_discovery",
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_metadata_user",
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally\nactive, which can indicate unauthorized changes, activity by unauthorized users,\nlateral movement, or compromised credentials. In many organizations, new\nusernames are not often created apart from specific types of system activities,\nsuch as creating new accounts for new employees. These user accounts quickly\nbecome active and routine. Events from rarely used usernames can point to\nsuspicious activity. Additionally, automated Linux fleets tend to see activity\nfrom rarely used usernames only when personnel log in to make authorized or\nunauthorized changes, or threat actors have acquired credentials and log in for\nmalicious purposes. Unusual usernames can also indicate pivoting, where\ncompromised credentials are used to try and move laterally from one host to\nanother.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_user_name_ecs",
+    "name": "Unusual Linux Username",
+    "note": "Alerts from this rule indicate activity for a Linux user name that is rare and\nunusual. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host? Could\nthis be related to troubleshooting or debugging activity by a developer or site\nreliability engineer?\n* Examine the history of user activity. If this user manifested only very\nrecently, it might be a service account for a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks that the\nuser is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual web URL request from a Linux host,\nwhich can indicate malware delivery and execution. Wget and cURL are commonly\nused by Linux programs to download code and data. Most of the time, their usage\nis entirely normal. Generally, because they use a list of URLs, they repeatedly\ndownload from the same locations. However, Wget and cURL are sometimes used to\ndeliver Linux exploit payloads, and threat actors use these tools to download\nadditional software and code. For these reasons, unusual URLs can indicate\nunauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
+    "name": "Unusual Linux Web Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "suspicious_login_activity_ecs",
+    "name": "Unusual Login Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of `rundll32.exe` making outbound network\nconnections. This may indicate adversarial activity and may identify malicious\nDLLs.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Network Connection via RunDLL32",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"rundll32.exe\" and event.type == \"start\"]\n  [network where process.name : \"rundll32.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\",  \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
+    "risk_score": 21,
+    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1085",
+            "name": "Rundll32",
+            "reference": "https://attack.mitre.org/techniques/T1085/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual network destination domain name. This\ncan be due to initial access, persistence, command-and-control, or exfiltration\nactivity. For example, when a user clicks on a link in a phishing email or opens\na malicious document, a request may be sent to download and run a payload from\nan uncommon web server name. When malware is already running, it may send\nrequests to an uncommon DNS domain the malware uses for command-and-control\ncommunication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_server_domain",
+    "name": "Unusual Network Destination Domain Name",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Parent Process for cmd.exe",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)",
+    "risk_score": 47,
+    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows programs run from unexpected parent processes. This could\nindicate masquerading or other strange activity on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Parent-Child Relationship",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or process.name:SearchIndexer.exe and not process.parent.name:services.exe or process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+    "risk_score": 47,
+    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1093",
+            "name": "Process Hollowing",
+            "reference": "https://attack.mitre.org/techniques/T1093/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by\nadversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Process Execution - Temp",
+    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+    "risk_score": 47,
+    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can\nindicate execution of unauthorized services, malware, or persistence mechanisms.\nProcesses are considered rare when they only run occasionally as compared with\nother processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_process_by_host_linux_ecs",
+    "name": "Unusual Process For a Linux Host",
+    "note": "Alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may\nprovide indications as to the source of the program or the nature of the tasks\nit is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can\nindicate execution of unauthorized services, malware, or persistence mechanisms.\nProcesses are considered rare when they only run occasionally as compared with\nother processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_process_by_host_windows_ecs",
+    "name": "Unusual Process For a Windows Host",
+    "note": "Alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process metadata like the values of the Company, Description and\nProduct fields which may indicate whether the program is associated with an\nexpected software vendor or package.\n* Examine arguments and working directory. These may provide indications as to\nthe source of the program or the nature of the tasks it is performing.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may\nindicate adversarial activity as these applications are often leveraged by\nadversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Process Network Connection",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\n==== Threat mapping\n\n*Framework*: MITRE ATT&CK^TM^\n\n* Tactic:\n** Name: Defense Evasion\n** ID: TA0005\n** Reference URL: https://attack.mitre.org/tactics/TA0005/\n* Technique:\n** Name: Abuse Elevation Control Mechanism\n** ID: T1548\n** Reference URL: https://attack.mitre.org/techniques/T1548/\n\n\n* Tactic:\n** Name: Privilege Escalation\n** ID: TA0004\n** Reference URL: https://attack.mitre.org/tactics/TA0004/\n* Technique:\n** Name: Abuse Elevation Control Mechanism\n** ID: T1548\n** Reference URL: https://attack.mitre.org/techniques/T1548/"
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_sudo_user",
+    "name": "Unusual Sudo Activity",
+    "risk_score": 21,
+    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual\nweb browsing activity. This can be due to initial access, persistence, command-\nand-control, or exfiltration activity. For example, in a strategic web\ncompromise or watering hole attack, when a trusted website is compromised to\ntarget a particular sector or organization, targeted users may receive emails\nwith uncommon URLs for trusted websites. These URLs can be used to download and\nrun a payload. When malware is already running, it may send requests to uncommon\nURLs on trusted websites the malware uses for command-and-control communication.\nWhen rare URLs are observed being requested for a local web server by a remote\nsource, these can be due to web scanning, enumeration or attack traffic, or they\ncan be due to bots and web scrapers which are part of common Internet background\ntraffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_urls",
+    "name": "Unusual Web Request",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual user agent indicating web\nbrowsing activity by an unusual process other than a web browser. This can be\ndue to persistence, command-and-control, or exfiltration activity. Uncommon user\nagents coming from remote sources to local destinations are often the result of\nscanners, bots, and web scrapers, which are part of common Internet background\ntraffic. Much of this is noise, but more targeted attacks on websites using\ntools like Burp or SQLmap can sometimes be discovered by spotting uncommon user\nagents. Uncommon user agents in traffic from local sources to remote\ndestinations can be any number of things, including harmless programs like\nweather monitoring or stock-trading programs. However, uncommon user agents from\nlocal sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_user_agent",
+    "name": "Unusual Web User Agent",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows processes that do not usually use the network but have\nunexpected network activity, which can indicate command-and-control, lateral\nmovement, persistence, or data exfiltration activity. A process with unusual\nnetwork activity can denote process exploitation or injection, where the process\nis used to run persistence mechanisms that allow a malicious actor remote access\nor control of the host, data exfiltration, and execution of unauthorized network\napplications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_network_activity_ecs",
+    "name": "Unusual Windows Network Activity",
+    "note": "Alerts from this rule indicate the presence of network activity from a Windows\nprocess for which network activity is very unusual.  Here are some possible\navenues of investigation:\n\n* Consider the IP addresses, protocol and ports. Are these used by normal but\ninfrequent network workflows? Are they expected or unexpected?\n* If the destination IP address is remote or external, does it associate with\nan expected domain, organization or geography? Note: avoid interacting directly\nwith suspected malicious IP addresses.\n* Consider the user as identified by the username field. Is this network\nactivity part of an expected workflow for the user who ran the program?\n* Examine the history of execution. If this process manifested only very\nrecently, it might be part of a new software package. If it has a consistent\nschedule - for example if it runs monthly or quarterly - it might be part of a\nmonthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may provide\nindications as to the source of the program or the nature of the tasks it is\nperforming.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.\n* If you have file hash values in the event data, and you suspect malware, you\ncan optionally run a search for the file hash to see if the file is identified\nas malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes started from atypical folders in the file system, which\nmay indicate malware execution or persistence mechanisms. In corporate Windows\nenvironments, software installation is centrally managed and it is unusual for\nprograms to be executed from user or temporary directories. Processes executed\nfrom these locations can denote that a user downloaded software directly from\nthe Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_path_activity_ecs",
+    "name": "Unusual Windows Path Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_metadata_process",
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP)\nusername, which can indicate account takeover or credentialed persistence using\ncompromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual\nusernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
+    "name": "Unusual Windows Remote User",
+    "note": "Alerts from this rule indicate activity for a rare and unusual Windows RDP\n(remote desktop) user. Here are some possible avenues of investigation: \n\n* Consider the user as identified by the username field. Is the user part of a\ngroup who normally logs in to Windows hosts using RDP (remote desktop\nprotocol)? Is this logon activity part of an expected workflow for the user? \n* Consider the source of the login. If the source is remote, could this be\nrelated to occasional troubleshooting or support activity by a vendor or an\nemployee working remotely?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual Windows service, This can indicate\nexecution of unauthorized services, malware, or persistence mechanisms. In\ncorporate Windows environments, hosts do not generally run many rare or unique\nservices. This job helps detect malware and persistence mechanisms that have\nbeen installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_service",
+    "name": "Unusual Windows Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_metadata_user",
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual user context switch, using the\n`runas` command or similar techniques, which can indicate account takeover or\nprivilege escalation using compromised accounts. Privilege elevation using\ntools like `runas` are more commonly used by domain and network administrators\nthan by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_user_runas_event",
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally\nactive, which can indicate unauthorized changes, activity by unauthorized users,\nlateral movement, or compromised credentials. In many organizations, new\nusernames are not often created apart from specific types of system activities,\nsuch as creating new accounts for new employees. These user accounts quickly\nbecome active and routine. Events from rarely used usernames can point to\nsuspicious activity. Unusual usernames can also indicate pivoting, where\ncompromised credentials are used to try and move laterally from one host to\nanother.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_user_name_ecs",
+    "name": "Unusual Windows Username",
+    "note": "Alerts from this rule indicate activity for a Windows user name that is rare\nand unusual. Here are some possible avenues of investigation:\n\n* Consider the user as identified by the username field. Is this program part\nof an expected workflow for the user who ran this program on this host? Could\nthis be related to occasional troubleshooting or support activity?\n* Examine the history of user activity. If this user manifested only very\nrecently, it might be a service account for a new software package. If it has a\nconsistent schedule - for example if it runs monthly or quarterly - it might be\npart of a monthly or quarterly business process.\n* Examine the process arguments, title and working directory. These may\nprovide indications as to the source of the program or the nature of the tasks\nthat the user is performing.\n* Consider the same for the parent process. If the parent process is a\nlegitimate system utility or service, this could be related to software updates\nor system management. If the parent process is something user-facing like an\nOffice application, this process could be more suspicious.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create new local users. This is sometimes done by\nattackers to increase access to a system or domain.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Account Creation",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
+    "risk_score": 21,
+    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Added as Owner for Azure Application",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:Success",
+    "risk_score": 21,
+    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Added as Owner for Azure Service Principal",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
+    ],
+    "risk_score": 21,
+    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The `whoami` application was executed on a Linux host. This is often used by\ntools and persistence mechanisms to test for privileged access.",
+    "false_positives": [
+      "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "User Discovery via Whoami",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami",
+    "risk_score": 21,
+    "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of VNC traffic from the\nInternet. VNC is commonly used by system administrators to remotely control a\nsystem for maintenance or to use shared resources. It should almost never be\ndirectly exposed to the Internet, as it is frequently targeted and exploited by\nthreat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 73,
+    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects network events that may indicate the use of VNC traffic to the Internet.\nVNC is commonly used by system administrators to remotely control a system for\nmaintenance or to use shared resources. It should almost never be directly\nexposed to the Internet, as it is frequently targeted and exploited by threat\nactors as an initial access or back-door vector.",
+    "false_positives": [
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Virtual Machine Fingerprinting",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
+    "risk_score": 73,
+    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `vssadmin.exe` for shadow copy deletion on endpoints. This\ncommonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Volume Shadow Copy Deletion via VssAdmin",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+    "risk_score": 73,
+    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `wmic.exe` for shadow copy deletion on endpoints. This\ncommonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
+    "risk_score": 73,
+    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application server contained no identifying user agent\nstring.",
+    "false_positives": [
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "exists": {
+          "field": "user_agent.original"
+        },
+        "meta": {
+          "disabled": false,
+          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "key": "user_agent.original",
+          "negate": true,
+          "type": "exists",
+          "value": "exists"
+        }
+      }
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "query": "url.path:*",
+    "references": [
+      "https://en.wikipedia.org/wiki/User_agent"
+    ],
+    "risk_score": 47,
+    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A POST request to web application returned a 403 response, which indicates the\nweb application declined to process the request because the action requested was\nnot allowed.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "query": "http.response.status_code:403 and http.request.method:post",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_403"
+    ],
+    "risk_score": 47,
+    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to web application returned a 405 response which indicates the web\napplication declined to process the request because the HTTP method is not\nallowed for the resource.",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "query": "http.response.status_code:405",
+    "references": [
+      "https://en.wikipedia.org/wiki/HTTP_405"
+    ],
+    "risk_score": 47,
+    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This is an example of how to detect an unwanted web client user agent. This\nsearch matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool\nfor testing web applications for SQL injection vulnerabilities.",
+    "false_positives": [
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+    "references": [
+      "http://sqlmap.org/"
+    ],
+    "risk_score": 47,
+    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of `whoami.exe` which displays user, group, and privileges\ninformation for the user who is currently logged on to the local system.",
+    "false_positives": [
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Whoami Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe",
+    "risk_score": 21,
+    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (`Crypt32.dll`)\nvalidates Elliptic Curve Cryptography (ECC) certificates. An attacker could\nexploit the vulnerability by using a spoofed code-signing certificate to sign a\nmalicious executable, making it appear the file was from a trusted, legitimate\nsource.",
+    "index": [
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
+    "risk_score": 21,
+    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1116",
+            "name": "Code Signing",
+            "reference": "https://attack.mitre.org/techniques/T1116/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a PowerShell process launched by either `cscript.exe` or\n`wscript.exe`. Observing Windows scripting processes executing a PowerShell\nscript, may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Windows Script Executing PowerShell",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+    "risk_score": 21,
+    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Windows Suspicious Script Object Execution",
+    "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan=2m\n  [process where event.type in (\"start\", \"process_started\") and\n     /* uncomment once in winlogbeat */\n     /* process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and */\n     not (process.name : \"cscript.exe\" or\n          process.name : \"iexplore.exe\" or\n          process.name : \"MicrosoftEdge.exe\" or\n          process.name : \"msiexec.exe\" or\n          process.name : \"smartscreen.exe\" or\n          process.name : \"taskhostw.exe\" or\n          process.name : \"w3wp.exe\" or\n          process.name : \"wscript.exe\")]\n  [library where event.type == \"start\" and file.name : \"scrobj.dll\"]\n",
+    "risk_score": 21,
+    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Zoom Meeting with no Passcode",
+    "note": "This rule requires the Zoom Filebeat module.",
+    "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*",
+    "references": [
+      "https://blog.zoom.us/a-message-to-our-users/",
+      "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"
+    ],
+    "risk_score": 47,
+    "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Application",
+      "Communication",
+      "Zoom",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  }
+]
\ No newline at end of file
diff --git a/prebuilt-rules-scripts/get-release-rules.py b/prebuilt-rules-scripts/get-release-rules.py
index a523509e07..ea24d2d1a5 100644
--- a/prebuilt-rules-scripts/get-release-rules.py
+++ b/prebuilt-rules-scripts/get-release-rules.py
@@ -7,7 +7,7 @@
 # Creates a JSON file with all the prebuilt rules for the release. Before  
 # running this script make sure the correct Kibana branch is checkout out.
 
-releaseVersion = "7.9.1" # Security app release version - update as required
+releaseVersion = "7.10.0" # Security app release version - update as required
 
 def sort_by_name(rule):
     '''
diff --git a/prebuilt-rules-scripts/get-rule-diff.py b/prebuilt-rules-scripts/get-rule-diff.py
index 4f193af354..b8cf4a2fbd 100644
--- a/prebuilt-rules-scripts/get-rule-diff.py
+++ b/prebuilt-rules-scripts/get-rule-diff.py
@@ -10,8 +10,8 @@
 # generated for the previous release. It checks if rule queries have been
 # changed and updates the version history as required (changelog object).
 
-releaseVersion = "7.9.1" # Security app release version - update as required
-previousReleaseVersion = "7.9.0" # Release pf the previous release for which docs were generated 
+releaseVersion = "7.10.0" # Security app release version - update as required
+previousReleaseVersion = "7.9.1" # Release pf the previous release for which docs were generated 
 
 def sort_by_name(rule):
     '''
diff --git a/prebuilt-rules-scripts/orig-rules-json-files/7.10.0-prebuilt-rule.json b/prebuilt-rules-scripts/orig-rules-json-files/7.10.0-prebuilt-rule.json
index f1823a59a8..65ca974989 100644
--- a/prebuilt-rules-scripts/orig-rules-json-files/7.10.0-prebuilt-rule.json
+++ b/prebuilt-rules-scripts/orig-rules-json-files/7.10.0-prebuilt-rule.json
@@ -1,846 +1,679 @@
 [
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.846Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.",
-    "enabled": true,
-    "exceptions_list": [],
+    "author": [
+      "Nick Jones",
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material",
     "false_positives": [
-      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+      "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-6m",
-    "id": "b7506618-6420-41c2-89bf-b544f8a3fd42",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
-    "last_success_at": "2020-10-09T08:16:33.869Z",
-    "last_success_message": "succeeded",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "DNS Activity to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+    "name": "AWS Access Secret in Secrets Manager",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
     "references": [
-      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
-      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
+      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
+    ],
+    "risk_score": 73,
+    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
-    "severity": "medium",
-    "severity_mapping": [],
-    "status": "succeeded",
-    "status_date": "2020-10-09T08:16:33.869Z",
-    "tags": ["Elastic", "Network"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-09T08:16:34.817Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.847Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed",
-    "enabled": true,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
     "false_positives": [
-      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+      "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-6m",
-    "id": "16c8bd87-442d-40f1-b609-88f806e59fd6",
-    "immutable": true,
-    "index": ["apm-*-transaction*"],
-    "interval": "5m",
-    "language": "kuery",
-    "last_success_at": "2020-10-09T08:16:30.797Z",
-    "last_success_message": "succeeded",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Web Application Suspicious Activity: POST Request Declined",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "http.response.status_code:403 and http.request.method:post",
-    "references": ["https://en.wikipedia.org/wiki/HTTP_403"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
-    "severity": "medium",
-    "severity_mapping": [],
-    "status": "succeeded",
-    "status_date": "2020-10-09T08:16:30.797Z",
-    "tags": ["APM", "Elastic"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-09T08:16:31.785Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:07.028Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
-    "enabled": true,
-    "exceptions_list": [
-      {
-        "id": "endpoint_list",
-        "list_id": "endpoint_list",
-        "namespace_type": "agnostic",
-        "type": "endpoint"
-      },
-      {
-        "id": "1290cb70-08a4-11eb-9486-230882562c8d",
-        "list_id": "46fa4e5f-983a-4151-a992-a47d16a442c3",
-        "namespace_type": "single",
-        "type": "detection"
-      }
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "false_positives": [],
-    "from": "now-10m",
-    "id": "c6e9f685-90f3-4c5a-bfc2-f1cf58d1aa40",
-    "immutable": true,
-    "index": ["logs-endpoint.alerts-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
-    "last_success_at": "2020-10-09T08:18:55.160Z",
-    "last_success_message": "succeeded",
     "license": "Elastic License",
-    "max_signals": 10000,
-    "name": "Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:(endpoint and not endgame)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [
-      {
-        "field": "event.risk_score",
-        "operator": "equals",
-        "value": ""
-      }
+    "name": "AWS CloudTrail Log Created",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
     ],
-    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
-    "rule_name_override": "message",
-    "severity": "medium",
-    "severity_mapping": [
-      {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "low",
-        "value": "21"
-      },
-      {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "medium",
-        "value": "47"
-      },
-      {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "high",
-        "value": "73"
-      },
+    "risk_score": 21,
+    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
+    "threat": [
       {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "critical",
-        "value": "99"
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
       }
     ],
-    "status": "succeeded",
-    "status_date": "2020-10-09T08:18:55.160Z",
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "timestamp_override": "event.ingested",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-09T08:18:56.117Z",
-    "updated_by": "gloria.delatorre@elastic.co",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.837Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.",
     "false_positives": [
-      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+      "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-6m",
-    "id": "db192626-e9b3-407c-939f-e363ad5e1b33",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "RDP (Remote Desktop Protocol) from the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
+    "name": "AWS CloudTrail Log Deleted",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
-        },
-        "technique": [
-          {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
-        },
-        "technique": [
-          {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.837Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.841Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.",
     "false_positives": [
-      "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
+      "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-6m",
-    "id": "2321f645-17ea-4d80-a2b9-9a47af29786e",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "PPTP (Point to Point Tunneling Protocol) Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "AWS CloudTrail Log Suspended",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.841Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.843Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.",
     "false_positives": [
-      "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
+      "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-6m",
-    "id": "f468667d-44a2-4c7c-a74a-df133a16c99e",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "SMTP to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
+    "name": "AWS CloudTrail Log Updated",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4",
+    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
         },
         "technique": [
           {
-            "id": "T1048",
-            "name": "Exfiltration Over Alternative Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1048/"
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.843Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.844Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.",
     "false_positives": [
-      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-6m",
-    "id": "3e966608-d44d-4ce0-876c-81cedfbff76a",
-    "immutable": true,
-    "index": ["apm-*-transaction*"],
-    "interval": "5m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Web Application Suspicious Activity: Unauthorized Method",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "http.response.status_code:405",
-    "references": ["https://en.wikipedia.org/wiki/HTTP_405"],
+    "name": "AWS CloudWatch Alarm Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
+    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["APM", "Elastic"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:05.844Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.849Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
     ],
-    "from": "now-6m",
-    "id": "281c1a2e-b561-499c-a83d-a5c42b9e4f8b",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "TCP Port 8000 Activity to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.849Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.850Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.",
     "false_positives": [
-      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-6m",
-    "id": "0d027fc7-2740-4911-b1e3-fdf90c4b410f",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "IPSEC NAT Traversal Port Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "AWS CloudWatch Log Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:05.850Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.853Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A request to a web application server contained no identifying user agent string.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
-    ],
-    "filters": [
+      },
       {
-        "$state": {
-          "store": "appState"
-        },
-        "exists": {
-          "field": "user_agent.original"
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
-        "meta": {
-          "disabled": false,
-          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
-          "key": "user_agent.original",
-          "negate": true,
-          "type": "exists",
-          "value": "exists"
-        }
+        "technique": [
+          {
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
       }
     ],
-    "from": "now-6m",
-    "id": "bb5f1b57-615a-4367-a950-b000fffdd422",
-    "immutable": true,
-    "index": ["apm-*-transaction*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Web Application Suspicious Activity: No User Agent",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "url.path:*",
-    "references": ["https://en.wikipedia.org/wiki/User_agent"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["APM", "Elastic"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.853Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.855Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.",
     "false_positives": [
-      "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
+      "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-6m",
-    "id": "69436d27-6597-4b0b-ba2b-ed54ac0f9c96",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Proxy Port Activity to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
+    "name": "AWS CloudWatch Log Stream Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3",
+    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:05.855Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.856Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
-    ],
-    "from": "now-6m",
-    "id": "8f462464-31c1-40c4-a43d-a104348acd27",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "FTP (File Transfer Protocol) Activity to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibiltiy into the security posture of an account and / or its workload instances.",
+    "false_positives": [
+      "Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Config Service Tampering",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
+    "references": [
+      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1048",
-            "name": "Exfiltration Over Alternative Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1048/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.856Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.865Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an AWS configuration change to stop recording a designated set of resources.",
     "false_positives": [
-      "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-6m",
-    "id": "f1bbeb9c-9f2a-421f-9c6a-c9cb9991a794",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "SQL Traffic to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "AWS Configuration Recorder Stopped",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
+      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.865Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.946Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "1485d1f3-1d5a-4302-a27a-327df9fe869a",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.",
+    "false_positives": [
+      "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious PDF Reader Child Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "AWS EC2 Encryption Disabled",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1204",
-            "name": "User Execution",
-            "reference": "https://attack.mitre.org/techniques/T1204/"
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.947Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.954Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.",
     "false_positives": [
-      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-9m",
-    "id": "b952976a-0ab6-43bd-8ea7-f5487b907cb6",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "File Permission Modification in Writable Directory",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "name": "AWS EC2 Flow Log Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -851,217 +684,215 @@
         },
         "technique": [
           {
-            "id": "T1222",
-            "name": "File and Directory Permissions Modification",
-            "reference": "https://attack.mitre.org/techniques/T1222/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.954Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.993Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "4f589ace-70e1-4dd9-a782-f6dabc44f7d7",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.",
+    "false_positives": [
+      "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Bypass UAC via Event Viewer",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
-    "references": [],
+    "name": "AWS EC2 Network Access Control List Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1088",
-            "name": "Bypass User Account Control",
-            "reference": "https://attack.mitre.org/techniques/T1088/"
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:05.993Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.000Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.",
     "false_positives": [
-      "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired."
+      "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS EC2 Network Access Control List Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
     ],
-    "from": "now-6m",
-    "id": "20890724-04a0-448c-93f0-bb586f32ba4d",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Tor Activity to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540",
+    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
-        },
-        "technique": [
-          {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1188",
-            "name": "Multi-hop Proxy",
-            "reference": "https://attack.mitre.org/techniques/T1188/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.000Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.010Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "e17df2aa-3117-4bd7-829e-27a761568a30",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.",
+    "false_positives": [
+      "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Disable Syslog Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
-    "references": [],
+    "name": "AWS EC2 Snapshot Activity",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
+      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
+    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.010Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.030Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "db5b85d5-8298-42e4-b59a-a2722743cc6e",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious MS Office Child Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
-    "references": [],
+    "name": "AWS Execution via System Manager",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -1072,47 +903,65 @@
         },
         "technique": [
           {
-            "id": "T1193",
-            "name": "Spearphishing Attachment",
-            "reference": "https://attack.mitre.org/techniques/T1193/"
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1086",
+            "name": "PowerShell",
+            "reference": "https://attack.mitre.org/techniques/T1086/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.030Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.023Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "15cc5f59-b81a-428d-8ed7-b4491077de17",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.",
+    "false_positives": [
+      "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Volume Shadow Copy Deletion via VssAdmin",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
-    "references": [],
+    "name": "AWS GuardDuty Detector Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
+      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
+    ],
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -1123,207 +972,211 @@
         },
         "technique": [
           {
-            "id": "T1490",
-            "name": "Inhibit System Recovery",
-            "reference": "https://attack.mitre.org/techniques/T1490/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.024Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.043Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.",
     "false_positives": [
-      "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-6m",
-    "id": "85c2192c-16d1-4ccb-955b-d38b1f5eb5ca",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "SSH (Secure Shell) to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
+    "name": "AWS IAM Assume Role Policy Update",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+    "references": [
+      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4",
+    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.045Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.131Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "548be44f-0ca1-495b-8766-4a9bbd732a53",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.",
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Network Connection via Compiled HTML File",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:hh.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1223",
-            "name": "Compiled HTML File",
-            "reference": "https://attack.mitre.org/techniques/T1223/"
-          }
-        ]
-      },
+    "name": "AWS IAM Brute Force of Assume Role Policy",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+    "references": [
+      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
+      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+    ],
+    "risk_score": 47,
+    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1223",
-            "name": "Compiled HTML File",
-            "reference": "https://attack.mitre.org/techniques/T1223/"
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.131Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "threshold": {
+      "field": "",
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.204Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.",
     "false_positives": [
-      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+      "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-9m",
-    "id": "f2c3917c-a652-41d3-8134-c4c5640216ce",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Nping Process Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:nping",
-    "references": ["https://en.wikipedia.org/wiki/Nmap"],
+    "name": "AWS IAM Deactivation of MFA Device",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
+    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
+          }
+        ]
+      }
+    ],
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.204Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.207Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.",
     "false_positives": [
-      "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon."
+      "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-9m",
-    "id": "af0f6c3d-ac01-4111-9563-bec01cc07c4b",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Persistence via Kernel Module Modification",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)",
+    "name": "AWS IAM Group Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
     "references": [
-      "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM"
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40",
+    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -1334,429 +1187,364 @@
         },
         "technique": [
           {
-            "id": "T1215",
-            "name": "Kernel Modules and Extensions",
-            "reference": "https://attack.mitre.org/techniques/T1215/"
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.208Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.215Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.",
     "false_positives": [
-      "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
+      "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-9m",
-    "id": "417d3f1c-b201-4f0e-9988-2896f9b1562f",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Network Sniffing via Tcpdump",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump",
-    "references": [],
+    "name": "AWS IAM Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0",
+    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1040",
-            "name": "Network Sniffing",
-            "reference": "https://attack.mitre.org/techniques/T1040/"
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.",
+    "false_positives": [
+      "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS IAM Password Recovery Requested",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
+    ],
+    "risk_score": 21,
+    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1040",
-            "name": "Network Sniffing",
-            "reference": "https://attack.mitre.org/techniques/T1040/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.216Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.224Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
     "false_positives": [
-      "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+      "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-6m",
-    "id": "d5e1f7ff-3d2a-4c46-86dc-4b3362abbeb5",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "SSH (Secure Shell) from the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "AWS IAM User Addition to Group",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
-        },
-        "technique": [
-          {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.224Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.228Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
     "false_positives": [
-      "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon."
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "from": "now-20m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-9m",
-    "id": "59da5a14-4c84-41d8-b2e9-20c0b3521d45",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Nmap Process Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:nmap",
-    "references": ["https://en.wikipedia.org/wiki/Nmap"],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.228Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.230Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "657078ef-b35d-45f0-9e52-6e22d24f25d3",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Clearing Windows Event Logs",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "AWS Management Console Brute Force of Root User Identity",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1070",
-            "name": "Indicator Removal on Host",
-            "reference": "https://attack.mitre.org/techniques/T1070/"
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.230Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "threshold": {
+      "field": "cloud.account.id",
+      "value": 10
+    },
+    "type": "threshold",
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.235Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "e413a876-689c-4f61-99f0-546262a1cc76",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
+    "false_positives": [
+      "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Delete Volume USN Journal with Fsutil",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "AWS Management Console Root Login",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1107",
-            "name": "File Deletion",
-            "reference": "https://attack.mitre.org/techniques/T1107/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.235Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.244Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.",
     "false_positives": [
-      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+      "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
     "from": "now-60m",
-    "id": "30f46469-a971-4609-a073-4057d84152ac",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "rare_method_for_a_city",
-    "max_signals": 100,
-    "name": "Unusual City For an AWS Command",
-    "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.244Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.248Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "from": "now-45m",
-    "id": "4882669a-2ce0-4b19-8b3a-af74baea7d0f",
-    "immutable": true,
-    "interval": "15m",
+    "interval": "10m",
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
-    "max_signals": 100,
-    "name": "Unusual Linux Web Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "AWS RDS Cluster Creation",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.248Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.249Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
     ],
-    "from": "now-9m",
-    "id": "a6c1ccdc-dfb1-4da6-a5b1-1287641c1885",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Hex Encoding/Decoding Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1140",
-            "name": "Deobfuscate/Decode Files or Information",
-            "reference": "https://attack.mitre.org/techniques/T1140/"
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
           }
         ]
       },
@@ -1769,208 +1557,218 @@
         },
         "technique": [
           {
-            "id": "T1027",
-            "name": "Obfuscated Files or Information",
-            "reference": "https://attack.mitre.org/techniques/T1027/"
+            "id": "T1108",
+            "name": "Redundant Access",
+            "reference": "https://attack.mitre.org/techniques/T1108/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.249Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.251Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.",
     "false_positives": [
-      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+      "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-45m",
-    "id": "79d76c3d-147f-4d0b-b08d-b23cf2a94ca6",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "packetbeat_rare_server_domain",
-    "max_signals": 100,
-    "name": "Unusual Network Destination Domain Name",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Packetbeat"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.251Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.253Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
-    ],
-    "from": "now-9m",
-    "id": "20bc06b4-0c70-45f8-be8a-1cbf0d309201",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Microsoft Build Engine Started an Unusual Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
+    "name": "AWS RDS Cluster Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
     "references": [
-      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+    ],
+    "risk_score": 47,
+    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1500",
-            "name": "Compile After Delivery",
-            "reference": "https://attack.mitre.org/techniques/T1500/"
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.253Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.256Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
     "false_positives": [
-      "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
+      "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-9m",
-    "id": "7a629dcb-85d0-441d-aa7c-c35083169c3f",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "lucene",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 33,
-    "name": "Creation of Hidden Files and Directories",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
-    "references": [],
+    "name": "AWS RDS Instance/Cluster Stoppage",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1158",
-            "name": "Hidden Files and Directories",
-            "reference": "https://attack.mitre.org/techniques/T1158/"
+            "id": "T1489",
+            "name": "Service Stop",
+            "reference": "https://attack.mitre.org/techniques/T1489/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.",
+    "false_positives": [
+      "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "AWS Root Login Without MFA",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1158",
-            "name": "Hidden Files and Directories",
-            "reference": "https://attack.mitre.org/techniques/T1158/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.256Z",
-    "updated_by": "marra.sherrier@elastic.co",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.258Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "84c07927-1881-4655-bdc3-301c54f70caa",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.",
+    "false_positives": [
+      "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "File Deletion via Shred",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
-    "references": [],
+    "name": "AWS S3 Bucket Configuration Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
+    "references": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -1981,125 +1779,50 @@
         },
         "technique": [
           {
-            "id": "T1107",
-            "name": "File Deletion",
-            "reference": "https://attack.mitre.org/techniques/T1107/"
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.258Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.265Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A newly installed program or one that rarely uses the network could trigger this alert."
-    ],
-    "from": "now-45m",
-    "id": "375ac792-3f41-4174-8665-b372a836fdcc",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "linux_anomalous_network_service",
-    "max_signals": 100,
-    "name": "Unusual Linux Network Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.265Z",
-    "updated_by": "marra.sherrier@elastic.co",
     "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.266Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.",
     "false_positives": [
-      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+      "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-45m",
-    "id": "ac2a92d7-0465-4d67-9fe1-c438d1c30d04",
-    "immutable": true,
-    "interval": "15m",
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "packetbeat_rare_urls",
-    "max_signals": 100,
-    "name": "Unusual Web Request",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "AWS WAF Access Control List Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Packetbeat"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.266Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.292Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    "risk_score": 47,
+    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
     ],
-    "from": "now-9m",
-    "id": "103278d7-52d4-4364-b62d-7bb017ab650f",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Kernel Module Removal",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
-    "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -2115,57 +1838,45 @@
             "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1215",
-            "name": "Kernel Modules and Extensions",
-            "reference": "https://attack.mitre.org/techniques/T1215/"
-          }
-        ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.292Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.297Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "46db561a-95ef-43ca-bea2-204d17d1b867",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.",
+    "false_positives": [
+      "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-aws*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential Disabling of SELinux",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
-    "references": [],
+    "name": "AWS WAF Rule or Rule Group Deletion",
+    "note": "The AWS Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
+    "references": [
+      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
+      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -2183,249 +1894,84 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.297Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.298Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."
-    ],
-    "from": "now-60m",
-    "id": "fb89da6b-996a-469c-b117-29927b989b6e",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "high_distinct_count_error_message",
-    "max_signals": 100,
-    "name": "Spike in AWS Error Messages",
-    "note": "### Investigating Spikes in CloudTrail Errors ###\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "author": [
+      "Elastic"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.298Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.301Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
-    "enabled": false,
-    "exceptions_list": [],
+    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
     "false_positives": [
-      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
     ],
-    "from": "now-45m",
-    "id": "c30b1f18-a923-4173-91d4-e7cab73a6f9e",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "packetbeat-*",
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "rare_process_by_host_linux_ecs",
-    "max_signals": 100,
-    "name": "Unusual Process For a Linux Host",
-    "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Abnormally Large DNS Response",
+    "note": "### Investigating Large DNS Responses\nDetection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:\n- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.",
+    "query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.301Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.304Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    "risk_score": 47,
+    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Lateral Movement"
     ],
-    "from": "now-9m",
-    "id": "a42fb504-b9b0-4bee-beef-a7e464add66a",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Virtual Machine Fingerprinting",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
         },
         "technique": [
           {
-            "id": "T1082",
-            "name": "System Information Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1082/"
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.304Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.306Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
-    ],
-    "from": "now-45m",
-    "id": "23550e90-f21b-4323-80cb-c9a704446b72",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "windows_anomalous_process_creation",
-    "max_signals": 100,
-    "name": "Anomalous Windows Process Creation",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.306Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.295Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies an unusually high number of authentication attempts.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
-    ],
-    "from": "now-45m",
-    "id": "ae650ce7-05f6-40b6-a268-19903d0ad62e",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "suspicious_login_activity_ecs",
-    "max_signals": 100,
-    "name": "Unusual Login Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.295Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.308Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    "author": [
+      "Elastic"
     ],
+    "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
     "from": "now-9m",
-    "id": "9629e36c-e2c6-4c83-b3c2-75f17211dff7",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Base64 Encoding/Decoding Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
-    "references": [],
+    "name": "Adding Hidden File Attribute via Attrib",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b",
+    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -2436,764 +1982,349 @@
         },
         "technique": [
           {
-            "id": "T1140",
-            "name": "Deobfuscate/Decode Files or Information",
-            "reference": "https://attack.mitre.org/techniques/T1140/"
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1027",
-            "name": "Obfuscated Files or Information",
-            "reference": "https://attack.mitre.org/techniques/T1027/"
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.308Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.312Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts.",
     "false_positives": [
-      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+      "Consider adding exceptions to this rule to filter false positives if administrator privileges are regularly assigned to Okta groups in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
     ],
-    "from": "now-9m",
-    "id": "03b7ae47-cfdd-434e-b67a-4ed2241da834",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Connection to Internal Network via Telnet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:(connection or start) and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "name": "Administrator Privileges Assigned to Okta Group",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:group.privilege.grant",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.312Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.321Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-60m",
-    "id": "8f048b91-6473-4102-aad3-8c01479f9c31",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "rare_error_code",
-    "max_signals": 100,
-    "name": "Rare AWS Error Code",
-    "note": "### Investigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "description": "Detects writing executable files that will be automatically launched by Adobe on launch.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.321Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.325Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
-    ],
-    "from": "now-60m",
-    "id": "938078fc-8049-4c81-9492-a368d6fc8673",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "rare_method_for_a_country",
-    "max_signals": 100,
-    "name": "Unusual Country For an AWS Command",
-    "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.325Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.336Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "46a3aef2-832b-44e8-b348-199111a953ff",
-    "immutable": true,
-    "index": [
-      "apm-*-transaction*",
-      "auditbeat-*",
-      "filebeat-*",
-      "logs-*",
-      "packetbeat-*",
-      "winlogbeat-*"
-    ],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 10000,
-    "name": "External Alerts",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and not event.module:(endgame or endpoint)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [
-      {
-        "field": "event.risk_score",
-        "operator": "equals",
-        "value": ""
-      }
-    ],
-    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
-    "rule_name_override": "message",
-    "severity": "medium",
-    "severity_mapping": [
-      {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "low",
-        "value": "21"
-      },
-      {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "medium",
-        "value": "47"
-      },
-      {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "high",
-        "value": "73"
-      },
-      {
-        "field": "event.severity",
-        "operator": "equals",
-        "severity": "critical",
-        "value": "99"
-      }
-    ],
-    "tags": ["Elastic"],
-    "threat": [],
-    "throttle": "no_actions",
-    "timestamp_override": "event.ingested",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.336Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.338Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
-    ],
-    "from": "now-45m",
-    "id": "63ae0f3f-f327-464d-a1a9-2596ef73a64d",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "windows_anomalous_service",
-    "max_signals": 100,
-    "name": "Unusual Windows Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
-    ],
+    "name": "Adobe Hijack Persistence",
+    "query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.338Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.340Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "f7c9ef60-74a9-40ea-a3cd-7e39091f95fa",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "lucene",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Deletion of Bash Command Line History",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1146",
-            "name": "Clear Command History",
-            "reference": "https://attack.mitre.org/techniques/T1146/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.340Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.342Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "ad4fe236-84d8-4a2f-bef0-eace45c28bbb",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Volume Shadow Copy Deletion via WMIC",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1107",
-            "name": "File Deletion",
-            "reference": "https://attack.mitre.org/techniques/T1107/"
+            "id": "T1044",
+            "name": "File System Permissions Weakness",
+            "reference": "https://attack.mitre.org/techniques/T1044/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.342Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.344Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "53bffe9d-db38-496d-b7db-486b34854e8b",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Direct Outbound SMB Connection",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or \"::1\")",
-    "references": [],
+    "name": "Adversary Behavior - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
+    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
-        },
-        "technique": [
-          {
-            "id": "T1210",
-            "name": "Exploitation of Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1210/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.344Z",
-    "updated_by": "marra.sherrier@elastic.co",
     "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.346Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "25e75bf6-5c1d-4a93-9c3f-3b540ba12a50",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
+    "false_positives": [
+      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Disable Windows Firewall Rules via Netsh",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
+    "name": "Anomalous Kernel Module Activity",
+    "references": [
+      "references"
+    ],
+    "risk_score": 21,
+    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.346Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "type": "machine_learning",
+    "version": 1
   },
   {
-    "actions": [],
     "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.349Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
     "false_positives": [
-      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+      "Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue."
     ],
     "from": "now-45m",
-    "id": "e46f0e20-11b3-4897-8ab1-8bb204447ebd",
-    "immutable": true,
     "interval": "15m",
     "license": "Elastic License",
-    "machine_learning_job_id": "windows_rare_user_runas_event",
-    "max_signals": 100,
-    "name": "Unusual Windows User Privilege Elevation Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
-    ],
+    "machine_learning_job_id": "linux_rare_user_compiler",
+    "name": "Anomalous Linux Compiler Activity",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
     "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.350Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.351Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.",
-    "enabled": false,
-    "exceptions_list": [],
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
     "false_positives": [
-      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
     ],
-    "from": "now-9m",
-    "id": "40f22d75-1ae1-4867-9b69-24ef4daec1a3",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Strace Process Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:strace",
-    "references": ["https://en.wikipedia.org/wiki/Strace"],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.351Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.358Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "82e49857-2b31-4c5f-9cc1-c71a35b22a6d",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
+    "from": "now-45m",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Sudoers File Modification",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and event.type:change and file.path:/etc/sudoers",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
-        },
-        "technique": [
-          {
-            "id": "T1169",
-            "name": "Sudo",
-            "reference": "https://attack.mitre.org/techniques/T1169/"
-          }
-        ]
-      }
+    "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs",
+    "name": "Anomalous Process For a Linux Population",
+    "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.358Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.361Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "0e9ff50c-1ab1-4d26-a020-6d79f4cf347b",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Modification of Boot Configuration",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
-    "references": [],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1107",
-            "name": "File Deletion",
-            "reference": "https://attack.mitre.org/techniques/T1107/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.361Z",
-    "updated_by": "marra.sherrier@elastic.co",
+    "type": "machine_learning",
     "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.369Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.",
-    "enabled": false,
-    "exceptions_list": [],
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
     "false_positives": [
-      "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
     ],
-    "from": "now-9m",
-    "id": "95eff63e-5e32-4655-baa3-04ac10afea0d",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
+    "from": "now-45m",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Socat Process Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V",
+    "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs",
+    "name": "Anomalous Process For a Windows Population",
+    "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
     "references": [
-      "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.369Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "risk_score": 21,
+    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
   },
   {
-    "actions": [],
     "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.374Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.",
     "false_positives": [
-      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+      "Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
     ],
     "from": "now-45m",
-    "id": "80770efa-a78e-43ad-a6a4-aa3e3ac43dac",
-    "immutable": true,
     "interval": "15m",
     "license": "Elastic License",
-    "machine_learning_job_id": "windows_anomalous_script",
-    "max_signals": 100,
-    "name": "Suspicious Powershell Script",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "machine_learning_job_id": "windows_anomalous_process_creation",
+    "name": "Anomalous Windows Process Creation",
     "references": [
       "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
+    "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
     "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.374Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
+    "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.376Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "38a0d129-077b-4635-9769-79514756cdd4",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.",
+    "false_positives": [
+      "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "User Account Creation",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
-    "references": [],
+    "name": "Attempt to Create Okta API Token",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.create",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
+    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -3211,470 +2342,251 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.376Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 75,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.377Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."
-    ],
-    "from": "now-60m",
-    "id": "4206b3e3-37ec-49ab-85f7-01c2f5061fe1",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "rare_method_for_a_username",
-    "max_signals": 100,
-    "name": "Unusual AWS Command for a User",
-    "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "author": [
+      "Elastic"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.377Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.378Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
-    "enabled": false,
-    "exceptions_list": [],
+    "description": "An adversary may deactivate multi-factor authentication (MFA) for an Okta user account in order to weaken the authentication requirements for the account.",
     "false_positives": [
-      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+      "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."
     ],
-    "from": "now-45m",
-    "id": "283f328a-8a89-42bb-a523-513c56d8146c",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "windows_anomalous_user_name_ecs",
-    "max_signals": 100,
-    "name": "Unusual Windows Username",
-    "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Attempt to Deactivate MFA for Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.378Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.380Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
     ],
-    "from": "now-9m",
-    "id": "6a873a69-7153-4289-9f14-205e07d56a39",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Enumeration of Kernel Modules",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1082",
-            "name": "System Information Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1082/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.380Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.382Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "a7521ae9-c955-4bee-9eb5-4e17b1ee4e63",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to deactivate an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
-    "references": [],
+    "name": "Attempt to Deactivate Okta MFA Rule",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
+    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1116",
-            "name": "Code Signing",
-            "reference": "https://attack.mitre.org/techniques/T1116/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.382Z",
-    "updated_by": "marra.sherrier@elastic.co",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.384Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-9m",
-    "id": "feeeef06-fe34-4367-94ce-eaf168424629",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Process Execution - Temp",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.384Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.385Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.",
-    "enabled": false,
-    "exceptions_list": [],
+    "description": "An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
     "false_positives": [
-      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+      "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
     ],
-    "from": "now-6m",
-    "id": "47bc7dad-1d34-4629-9077-550412bada12",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Process Injection by the Microsoft Build Engine",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
-    "references": [],
+    "name": "Attempt to Deactivate Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1055",
-            "name": "Process Injection",
-            "reference": "https://attack.mitre.org/techniques/T1055/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1055",
-            "name": "Process Injection",
-            "reference": "https://attack.mitre.org/techniques/T1055/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.385Z",
-    "updated_by": "marra.sherrier@elastic.co",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.401Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
     "false_positives": [
-      "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks."
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
     ],
-    "from": "now-9m",
-    "id": "eeb8d81f-726b-48b8-a3c3-3e50bac523e8",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "User Discovery via Whoami",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami",
-    "references": [],
+    "name": "Attempt to Delete Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9",
+    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
-        },
-        "technique": [
-          {
-            "id": "T1033",
-            "name": "System Owner/User Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1033/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.401Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.403Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    "author": [
+      "Elastic"
     ],
+    "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
     "from": "now-9m",
-    "id": "4a94c3be-0c50-41f3-954c-850d3099c644",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Connection to External Network via Telnet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:(connection or start) and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")",
-    "references": [],
+    "name": "Attempt to Disable IPTables or Firewall",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
+    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.403Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.405Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
-    ],
-    "from": "now-9m",
-    "id": "3d8b6417-6d3f-4355-87e0-6ff56cea55bf",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Hping Process Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
-    "references": ["https://en.wikipedia.org/wiki/Hping"],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.405Z",
-    "updated_by": "marra.sherrier@elastic.co",
     "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.407Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.",
     "from": "now-9m",
-    "id": "69915384-c3c9-437e-aa03-ba5a8ea3b016",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Disable IPTables or Firewall",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:ufw and process.args:(allow or disable or reset) or  (((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(firewalld or ip6tables or iptables))",
-    "references": [],
+    "name": "Attempt to Disable Syslog Service",
+    "query": "event.category:process and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3",
+    "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -3692,574 +2604,368 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.407Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.411Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Detects writing executable files that will be automatically launched by Adobe on launch.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "721cee2c-17e2-417c-8845-9674ca5f730b",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Adobe Hijack Persistence",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and event.type:creation and file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and not process.name:msiexec.exe",
-    "references": [],
+    "name": "Attempt to Modify Okta MFA Rule",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1044",
-            "name": "File System Permissions Weakness",
-            "reference": "https://attack.mitre.org/techniques/T1044/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.411Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.412Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "c3054500-6c20-43bb-aaae-eda27328d110",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Network Connection via Mshta",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:mshta.exe",
+    "name": "Attempt to Modify Okta Network Zone",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)",
     "references": [
-      "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8",
+    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1170",
-            "name": "Mshta",
-            "reference": "https://attack.mitre.org/techniques/T1170/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.412Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.415Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
     "false_positives": [
-      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."
     ],
-    "from": "now-45m",
-    "id": "04c047a4-19fe-43cd-8857-14b7ff35b5df",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
-    "max_signals": 100,
-    "name": "Unusual Windows Remote User",
-    "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Attempt to Modify Okta Policy",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.415Z",
-    "updated_by": "marra.sherrier@elastic.co",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
     "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.418Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to remove the multi-factor authentication (MFA) factors registered on an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.",
     "false_positives": [
-      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+      "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."
     ],
-    "from": "now-45m",
-    "id": "b70210b2-35e4-423b-8ebf-6465e43e6076",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs",
-    "max_signals": 100,
-    "name": "Anomalous Process For a Linux Population",
-    "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Attempt to Reset MFA Factors for Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88",
+    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.418Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.420Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
     ],
-    "from": "now-9m",
-    "id": "3e4aa2f0-5591-4a29-8e3f-badd491cbbca",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Base16 or Base32 Encoding/Decoding Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1140",
-            "name": "Deobfuscate/Decode Files or Information",
-            "reference": "https://attack.mitre.org/techniques/T1140/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1027",
-            "name": "Obfuscated Files or Information",
-            "reference": "https://attack.mitre.org/techniques/T1027/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.420Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.423Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.",
     "false_positives": [
-      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+      "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
     ],
-    "from": "now-45m",
-    "id": "f234ebe2-8e48-4ff5-a23c-23932fbfabb5",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs",
-    "max_signals": 100,
-    "name": "Anomalous Process For a Windows Population",
-    "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Attempt to Revoke Okta API Token",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:system.api_token.revoke",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172",
+    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.423Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.425Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
     ],
-    "from": "now-9m",
-    "id": "be7b85c3-8c75-4559-b42b-7c72c9e11789",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential DNS Tunneling via Iodine",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
-    "references": ["https://code.kryo.se/iodine/"],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.425Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.426Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "23e9a936-1af5-470f-9b22-1908138ddd33",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Windows Script Executing PowerShell",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1193",
-            "name": "Spearphishing Attachment",
-            "reference": "https://attack.mitre.org/techniques/T1193/"
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.426Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.429Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "e326022b-8da5-4a69-8513-fbcdb3c162e8",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "linux_anomalous_user_name_ecs",
-    "max_signals": 100,
-    "name": "Unusual Linux Username",
-    "note": "### Investigating an Unusual Linux User ###\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "description": "An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.429Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.437Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "5bf96acd-89b7-4791-aed7-52beb7eac894",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Execution via Regsvcs/Regasm",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Attempted Bypass of Okta MFA",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 73,
+    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1121",
-            "name": "Regsvcs/Regasm",
-            "reference": "https://attack.mitre.org/techniques/T1121/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1121",
-            "name": "Regsvcs/Regasm",
-            "reference": "https://attack.mitre.org/techniques/T1121/"
+            "id": "T1111",
+            "name": "Two-Factor Authentication Interception",
+            "reference": "https://attack.mitre.org/techniques/T1111/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.437Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.438Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "4d4b22ef-ac6f-4473-9f81-2bce38b4e2f7",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
+    "from": "now-180m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Deleting Backup Catalogs with Wbadmin",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Attempts to Brute Force an Okta User Account",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.lock",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1107",
-            "name": "File Deletion",
-            "reference": "https://attack.mitre.org/techniques/T1107/"
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.438Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "threshold": {
+      "field": "okta.actor.id",
+      "value": 3
+    },
+    "type": "threshold",
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.441Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "4f56d63f-050c-439d-be03-3b34988709d2",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Encoding or Decoding Files via CertUtil",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Azure Automation Account Created",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
+    "risk_score": 21,
+    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -4269,355 +2975,219 @@
         },
         "technique": [
           {
-            "id": "T1140",
-            "name": "Deobfuscate/Decode Files or Information",
-            "reference": "https://attack.mitre.org/techniques/T1140/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.441Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.442Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "bbf64265-4ccf-4f7e-af5a-62aa44c03f51",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Network Connection via RunDLL32",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:rundll32.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)",
-    "references": [],
+    "name": "Azure Automation Runbook Created or Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:Success",
+    "references": [
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1085",
-            "name": "Rundll32",
-            "reference": "https://attack.mitre.org/techniques/T1085/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.442Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 5
+    "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.443Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-45m",
-    "id": "ff9d8a1a-b381-41b8-b523-1894636179c1",
-    "immutable": true,
-    "interval": "15m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
-    "max_signals": 100,
-    "name": "Unusual Linux Network Activity",
-    "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Azure Automation Runbook Deleted",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:Success",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.444Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.445Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "55b894a0-5f76-42c3-9432-9b601f03eead",
-    "immutable": true,
-    "interval": "15m",
+    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "packetbeat_rare_dns_question",
-    "max_signals": 100,
-    "name": "Unusual DNS Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Azure Automation Webhook Created",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:Success",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
+      "https://github.com/hausec/PowerZure",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Packetbeat"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.445Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "to": "now-25m",
+    "type": "query",
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.448Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "a742b740-b5a0-45db-9215-f1cc98105c8f",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
+    "false_positives": [
+      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Network Connection via MsXsl",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:msxsl.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
+    "name": "Azure Blob Container Access Level Modification",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Asset Visibility"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1220",
-            "name": "XSL Script Processing",
-            "reference": "https://attack.mitre.org/techniques/T1220/"
-          }
-        ]
+            "id": "T1526",
+            "name": "Cloud Service Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1526/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
+          }
+        ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.448Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
+    "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.452Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A newly installed program or one that rarely uses the network could trigger this alert."
-    ],
-    "from": "now-45m",
-    "id": "2208f6a1-4406-4209-8ef3-579b36d8ad57",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs",
-    "max_signals": 100,
-    "name": "Unusual Linux Network Port Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "author": [
+      "Elastic"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.452Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.453Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
-    "enabled": false,
-    "exceptions_list": [],
+    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
     "false_positives": [
-      "A newly installed program or one that rarely uses the network could trigger this alert."
-    ],
-    "from": "now-45m",
-    "id": "b235ad29-bc35-409e-aa3a-d2562b099612",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "windows_anomalous_network_activity_ecs",
-    "max_signals": 100,
-    "name": "Unusual Windows Network Activity",
-    "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.453Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.457Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-45m",
-    "id": "8ed23ec7-6111-4f6a-8c40-ad6f0904a0fd",
-    "immutable": true,
-    "interval": "15m",
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "packetbeat_rare_user_agent",
-    "max_signals": 100,
-    "name": "Unusual Web User Agent",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Azure Command Execution on Virtual Machine",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:Success",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://adsecurity.org/?p=4277",
+      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+    ],
+    "risk_score": 47,
+    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Packetbeat"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.457Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.458Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "329f575a-829d-492a-831e-bdf3b72233cd",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Network Connection via Signed Binary",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1218",
-            "name": "Signed Binary Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1218/"
-          }
-        ]
-      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -4627,104 +3197,45 @@
         },
         "technique": [
           {
-            "id": "T1218",
-            "name": "Signed Binary Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1218/"
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.459Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.460Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-9m",
-    "id": "a3f2ef93-b282-409c-86d2-3ed3ce03242b",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Netcat Network Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:(access or connection or start) and process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional)",
+    "name": "Azure Conditional Access Policy Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:success",
     "references": [
-      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
-      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
-      "https://en.wikipedia.org/wiki/Netcat"
+      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
+    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:46:06.460Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.463Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "11834d11-5eba-4b8a-838b-f8b4fd0f7d53",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Adding Hidden File Attribute via Attrib",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:attrib.exe and process.args:+h",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
     "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1158",
-            "name": "Hidden Files and Directories",
-            "reference": "https://attack.mitre.org/techniques/T1158/"
-          }
-        ]
-      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -4734,556 +3245,437 @@
         },
         "technique": [
           {
-            "id": "T1158",
-            "name": "Hidden Files and Directories",
-            "reference": "https://attack.mitre.org/techniques/T1158/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.463Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.464Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "fc6f34ae-3d4a-49a5-9144-e0c4ae1d4f48",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
+    "false_positives": [
+      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Local Service Commands",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Azure Diagnostic Settings Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+    ],
+    "risk_score": 47,
+    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.465Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.466Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
     "false_positives": [
-      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-45m",
-    "id": "d4d65632-6961-414a-a0df-a71351d083f9",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "rare_process_by_host_windows_ecs",
-    "max_signals": 100,
-    "name": "Unusual Process For a Windows Host",
-    "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.466Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.454Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "f27e4361-f73d-40d8-b163-70cf4460c401",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious MS Outlook Child Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Azure Event Hub Authorization Rule Created or Updated",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+    ],
+    "risk_score": 47,
+    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
         },
         "technique": [
           {
-            "id": "T1193",
-            "name": "Spearphishing Attachment",
-            "reference": "https://attack.mitre.org/techniques/T1193/"
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.454Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.467Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "4084c5ed-0ec4-4818-bc44-9c15d3147222",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
+    "false_positives": [
+      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "System Shells via Services",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
-    "references": [],
+    "name": "Azure Event Hub Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
+      "https://azure.microsoft.com/en-in/services/event-hubs/",
+      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1050",
-            "name": "New Service",
-            "reference": "https://attack.mitre.org/techniques/T1050/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.467Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.469Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
     "false_positives": [
-      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-45m",
-    "id": "831fe3e4-35d7-4a13-8660-eb18fc302bbb",
-    "immutable": true,
-    "interval": "15m",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "packetbeat_dns_tunneling",
-    "max_signals": 100,
-    "name": "DNS Tunneling",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Azure External Guest User Invitation",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:Success",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
+    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Packetbeat"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.469Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.474Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
     ],
-    "from": "now-9m",
-    "id": "3c804832-e860-4df0-8d58-5c1fd269ef69",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "PsExec Network Connection",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:PsExec.exe",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1035",
-            "name": "Service Execution",
-            "reference": "https://attack.mitre.org/techniques/T1035/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1035",
-            "name": "Service Execution",
-            "reference": "https://attack.mitre.org/techniques/T1035/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.474Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.478Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
     "false_positives": [
-      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-45m",
-    "id": "b942554b-bd25-4a1c-b31a-6ec588edbaeb",
-    "immutable": true,
-    "interval": "15m",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "windows_anomalous_path_activity_ecs",
-    "max_signals": 100,
-    "name": "Unusual Windows Path Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
+    "name": "Azure Firewall Policy Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success",
     "references": [
-      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-05T15:46:06.478Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.485Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
     ],
-    "from": "now-9m",
-    "id": "be34afc3-d0d6-4565-9b27-c8d01cde605b",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential Shell via Web Server",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
-    "references": ["https://pentestlab.blog/tag/web-shell/"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1100",
-            "name": "Web Shell",
-            "reference": "https://attack.mitre.org/techniques/T1100/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-05T15:46:06.485Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 5
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:53:00.547Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "66f2ca6c-6aec-4536-b91b-1c54b0d53038",
-    "immutable": true,
-    "index": ["apm-*-transaction*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Web Application Suspicious Activity: sqlmap User Agent",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
-    "references": ["http://sqlmap.org/"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["APM", "Elastic"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-05T15:53:00.547Z",
-    "updated_by": "marra.sherrier@elastic.co",
-    "version": 3
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.511Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
-    "enabled": false,
-    "exceptions_list": [],
+    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
     "false_positives": [
-      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
-    "from": "now-6m",
-    "id": "0ba2602c-7574-41a9-8ced-3c1082298a8b",
-    "immutable": true,
-    "index": ["packetbeat-*"],
-    "interval": "5m",
-    "language": "lucene",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Halfbaked Command and Control Beacon",
-    "note": "This activity has been observed in FIN7 campaigns.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+    "name": "Azure Global Administrator Role Addition to PIM User",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:Success",
     "references": [
-      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
-      "https://attack.mitre.org/software/S0151/"
+      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
     ],
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
-        },
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
         "technique": [
           {
-            "id": "T1071",
-            "name": "Application Layer Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1071/"
-          },
-          {
-            "id": "T1483",
-            "name": "Domain Generation Algorithms",
-            "reference": "https://attack.mitre.org/techniques/T1483/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.512Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.514Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
     "false_positives": [
-      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
     "from": "now-25m",
-    "id": "485dfc40-770c-4672-9c5d-ad682eb259f5",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Resource Group Deletion",
+    "name": "Azure Key Vault Modified",
     "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:Success",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:Success",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
+      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
+    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Logging"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Data Protection"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1485",
-            "name": "Data Destruction",
-            "reference": "https://attack.mitre.org/techniques/T1485/"
+            "id": "T1081",
+            "name": "Credentials in Files",
+            "reference": "https://attack.mitre.org/techniques/T1081/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
+    "false_positives": [
+      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Azure Network Watcher Deletion",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
+    ],
+    "risk_score": 47,
+    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Network Security"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -5300,175 +3692,120 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.514Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.516Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-20m",
-    "id": "78a26d35-8c8d-4f38-b624-7d82cdf120ea",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS Management Console Brute Force of Root User Identity",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure",
+    "name": "Azure Privilege Identity Management Role Modified",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:Success",
     "references": [
-      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef",
-    "severity": "high",
-    "severity_mapping": [],
+    "risk_score": 47,
+    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
+    "severity": "medium",
     "tags": [
-      "AWS",
-      "Continuous Monitoring",
       "Elastic",
-      "Identity and Access",
-      "SecOps"
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1110",
-            "name": "Brute Force",
-            "reference": "https://attack.mitre.org/techniques/T1110/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
-      }
-    ],
-    "threshold": {
-      "field": "cloud.account.id",
-      "value": 10
-    },
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "threshold",
-    "updated_at": "2020-10-07T10:12:04.516Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.517Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
-    ],
-    "from": "now-6m",
-    "id": "23748144-5b27-4c17-99e9-bac602de7b39",
-    "immutable": true,
-    "index": ["packetbeat-*"],
-    "interval": "5m",
-    "language": "lucene",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
-    "note": "This activity has been observed in FIN7 campaigns.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
-    "references": [
-      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
-      "https://www.justice.gov/opa/press-release/file/1084361/download"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1105",
-            "name": "Ingress Tool Transfer",
-            "reference": "https://attack.mitre.org/techniques/T1105/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.517Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.518Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.",
     "false_positives": [
-      "Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
     ],
     "from": "now-25m",
-    "id": "411e0eae-b552-49c8-ab6f-094cf8d81353",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Diagnostic Settings Deletion",
+    "name": "Azure Resource Group Deletion",
     "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:Success",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:Success",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"
+      "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de",
+    "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
+      "Cloud",
       "Azure",
-      "SecOps",
       "Continuous Monitoring",
-      "Monitoring"
+      "SecOps",
+      "Log Auditing"
     ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
+        },
+        "technique": [
+          {
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -5485,211 +3822,301 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.518Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.519Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "f6a3a8ee-c98c-4868-b475-203a5be30d34",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
+    "false_positives": [
+      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    ],
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 33,
-    "name": "IIS HTTP Logging Disabled",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Azure Storage Account Key Regenerated",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success",
+    "references": [
+      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+    ],
+    "risk_score": 21,
+    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1070",
-            "name": "Indicator Removal on Host",
-            "reference": "https://attack.mitre.org/techniques/T1070/"
+            "id": "T1528",
+            "name": "Steal Application Access Token",
+            "reference": "https://attack.mitre.org/techniques/T1528/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.520Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.521Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
     "from": "now-9m",
-    "id": "49f39cba-43c3-49de-8701-7fdc6d03a170",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Conhost Spawned By Suspicious Parent Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)",
-    "references": [
-      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
-    ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Base16 or Base32 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex)",
+    "risk_score": 21,
+    "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1059",
-            "name": "Command and Scripting Interpreter",
-            "reference": "https://attack.mitre.org/techniques/T1059/"
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.521Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.522Z",
-    "created_by": "tudor@elastic.co",
-    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
     "false_positives": [
-      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
     ],
-    "from": "now-6m",
-    "id": "f72dec0d-47b4-4395-861c-6c3ecbc42a71",
-    "immutable": true,
-    "index": ["packetbeat-*"],
-    "interval": "5m",
-    "language": "lucene",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Possible FIN7 DGA Command and Control Behavior",
-    "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
-    "references": [
-      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    "name": "Base64 Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)",
+    "risk_score": 21,
+    "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1483",
-            "name": "Domain Generation Algorithms",
-            "reference": "https://attack.mitre.org/techniques/T1483/"
-          },
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
           {
-            "id": "T1071",
-            "name": "Application Layer Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1071/"
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.522Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Bypass UAC via Event Viewer",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:eventvwr.exe and not process.executable:(\"C:\\Windows\\SysWOW64\\mmc.exe\" or \"C:\\Windows\\System32\\mmc.exe\")",
+    "risk_score": 21,
+    "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1088",
+            "name": "Bypass User Account Control",
+            "reference": "https://attack.mitre.org/techniques/T1088/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Clearing Windows Event Logs",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog",
+    "risk_score": 21,
+    "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.523Z",
-    "created_by": "tudor@elastic.co",
+    "author": [
+      "Elastic"
+    ],
     "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.",
-    "enabled": false,
-    "exceptions_list": [],
     "false_positives": [
       "This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."
     ],
-    "from": "now-6m",
-    "id": "81f7290e-cd63-4a4a-ae5f-22b800d82436",
-    "immutable": true,
-    "index": ["packetbeat-*"],
-    "interval": "5m",
+    "index": [
+      "packetbeat-*"
+    ],
     "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
     "name": "Cobalt Strike Command and Control Beacon",
     "note": "This activity has been observed in FIN7 campaigns.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
     "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
     "references": [
       "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
       "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
     ],
     "risk_score": 73,
-    "risk_score_mapping": [],
     "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -5712,210 +4139,145 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.523Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.524Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.",
+    "false_positives": [
+      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+    ],
     "from": "now-9m",
-    "id": "35912d56-0eda-4166-acb8-40aaff4cc2ac",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious PrintSpooler Service Executable File Creation",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)",
-    "references": [
-      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
-      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    "name": "Command Prompt Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"cmd.exe\" and event.type == \"start\"]\n  [network where process.name : \"cmd.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
-    "risk_score": 74,
-    "risk_score_mapping": [],
-    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1068",
-            "name": "Exploitation for Privilege Escalation",
-            "reference": "https://attack.mitre.org/techniques/T1068/"
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.524Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.525Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "98c5a241-c466-46b0-9890-412fbeffd1e3",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual File Modification by dns.exe",
-    "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. \n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and process.name:dns.exe and not file.name:dns.log",
+    "name": "Compression of Keychain Credentials Directories",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")",
     "references": [
-      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
-      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+      "https://objective-see.com/blog/blog_0x25.html"
     ],
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1133",
-            "name": "External Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1133/"
+            "id": "T1142",
+            "name": "Keychain",
+            "reference": "https://attack.mitre.org/techniques/T1142/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.526Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.528Z",
-    "created_by": "tudor@elastic.co",
-    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "086bb8a6-f9dc-4d8d-aa33-65602fca018f",
-    "immutable": true,
-    "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Hosts File Modified",
-    "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
-    "references": [
-      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "Windows", "macOS"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
-        },
-        "technique": [
-          {
-            "id": "T1492",
-            "name": "Stored Data Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1492/"
-          }
-        ]
-      }
+    "author": [
+      "Elastic"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.528Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.529Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-25m",
-    "id": "acaa79b5-dbcc-4a71-af01-1e66534dcc5a",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Command Execution on Virtual Machine",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:Success",
+    "name": "Conhost Spawned By Suspicious Parent Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:conhost.exe and process.parent.name:(svchost.exe or lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)",
     "references": [
-      "https://adsecurity.org/?p=4277",
-      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
-      "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"
+      "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "60884af6-f553-4a6c-af13-300047455491",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -5933,98 +4295,83 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.529Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.530Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.",
+    "false_positives": [
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
+    ],
     "from": "now-9m",
-    "id": "c12d1b9f-bf76-4322-8b97-e351fa878451",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious Process Execution via Renamed PsExec Executable",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe)",
-    "references": [],
+    "name": "Connection to External Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"10.0.0.0/8\", \"172.16.0.0/12\",\n                                  \"192.168.0.0/16\", \"FE80::/10\", \"::1/128\")]\n",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
+    "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
         },
         "technique": [
           {
-            "id": "T1035",
-            "name": "Service Execution",
-            "reference": "https://attack.mitre.org/techniques/T1035/"
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.530Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.531Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.",
     "false_positives": [
-      "Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."
+      "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."
     ],
-    "from": "now-6m",
-    "id": "3007f81f-e337-47c1-8e11-d4d925982c59",
-    "immutable": true,
-    "index": ["packetbeat-*", "filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Abnormally Large DNS Response",
-    "note": "### Investigating Large DNS Responses\nDetection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:\n- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.\n- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and destination.port:53 and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000",
-    "references": [
-      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
-      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
-      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Connection to Internal Network via Telnet",
+    "query": "sequence by process.entity_id\n  [process where process.name == \"telnet\" and event.type == \"start\"]\n  [network where process.name == \"telnet\" and\n    cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\", \"FE80::/10\") and\n    not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "11013227-0301-4a8c-b150-4db924484475",
+    "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -6035,165 +4382,108 @@
         },
         "technique": [
           {
-            "id": "T1210",
-            "name": "Exploitation of Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1210/"
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.531Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.533Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.",
     "false_positives": [
-      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+      "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."
     ],
-    "from": "now-6m",
-    "id": "3c1759ed-11c4-443a-bbdf-745c41a10708",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Child Process of dns.exe",
-    "note": "### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
-    "references": [
-      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
-      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
-      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    "max_signals": 33,
+    "name": "Creation of Hidden Files and Directories",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\") AND process.args:/\\.[a-zA-Z0-9_\\-][a-zA-Z0-9_\\-\\.]{1,254}/ AND NOT process.name:(ls or find)",
+    "risk_score": 47,
+    "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1133",
-            "name": "External Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1133/"
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.533Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.534Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
-    ],
-    "from": "now-6m",
-    "id": "b6579c51-42f6-4869-9add-a8e3220d42c4",
-    "immutable": true,
-    "index": ["packetbeat-*"],
-    "interval": "5m",
-    "language": "lucene",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
-    "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
-    "references": [
-      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
-      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1158",
+            "name": "Hidden Files and Directories",
+            "reference": "https://attack.mitre.org/techniques/T1158/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.534Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.537Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
     "from": "now-9m",
-    "id": "7999bfbd-15be-49da-9ff8-b3ab1b947437",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Kerberos Cached Credentials Dumping",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache",
+    "name": "Creation or Modification of Domain Backup DPAPI private key",
+    "note": "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
+    "query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
     "references": [
-      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
-      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
+      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
+      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
     ],
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
+    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "MacOS"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -6204,204 +4494,40 @@
         },
         "technique": [
           {
-            "id": "T1003",
-            "name": "OS Credential Dumping",
-            "reference": "https://attack.mitre.org/techniques/T1003/"
+            "id": "T1145",
+            "name": "Private Keys",
+            "reference": "https://attack.mitre.org/techniques/T1145/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.537Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.538Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
     "from": "now-9m",
-    "id": "c7650fa4-3655-4bf5-aa96-e81c6576e67a",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1059",
-            "name": "Command and Scripting Interpreter",
-            "reference": "https://attack.mitre.org/techniques/T1059/"
-          }
-        ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.538Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.540Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "d98b0bbc-d9e0-4521-9de5-2eb4164b4540",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Creation or Modification of Domain Backup DPAPI private key",
-    "note": "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)",
-    "references": [
-      "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
-      "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/"
-    ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
-        },
-        "technique": [
-          {
-            "id": "T1145",
-            "name": "Private Keys",
-            "reference": "https://attack.mitre.org/techniques/T1145/"
-          }
-        ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.540Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.541Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "db005919-c017-411d-98d2-b057d9f64dbb",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Compression of Keychain Credentials Directories",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(zip or tar or gzip or 7za or hdiutil) and process.args:(\"/Library/Keychains/\" or \"/Network/Library/Keychains/\" or \"~/Library/Keychains/\")",
-    "references": ["https://objective-see.com/blog/blog_0x25.html"],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "MacOS"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
-        },
-        "technique": [
-          {
-            "id": "T1142",
-            "name": "Keychain",
-            "reference": "https://attack.mitre.org/techniques/T1142/"
-          }
-        ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.542Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.543Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "540c33ed-8e80-4e1f-be82-ce002ddba526",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Creation or Modification of a new GPO Scheduled Task or Service",
+    "query": "event.category:file and not event.type:deletion and file.path:(C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml or C\\:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml) and not process.name:dfsrs.exe",
+    "risk_score": 21,
+    "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -6434,246 +4560,207 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.543Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.544Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "24fddb11-9c36-49b1-8ac1-e745d78dd991",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious PrintSpooler SPL File Created",
-    "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)",
-    "references": [
-      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
-    ],
-    "risk_score": 74,
-    "risk_score_mapping": [],
-    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "name": "Credential Dumping - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
+    "risk_score": 73,
+    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
-        },
-        "technique": [
-          {
-            "id": "T1068",
-            "name": "Exploitation for Privilege Escalation",
-            "reference": "https://attack.mitre.org/techniques/T1068/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.544Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.582Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-25m",
-    "id": "f37082e9-6737-4bdf-a98b-0bb5a19640f7",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "description": "Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Key Vault Modified",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:Success",
-    "references": [
-      "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
-      "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault"
-    ],
+    "name": "Credential Dumping - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec",
+    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
-      "SecOps",
-      "Continuous Monitoring",
-      "Data Protection"
+      "Endpoint Security"
     ],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
-        },
-        "technique": [
-          {
-            "id": "T1081",
-            "name": "Credentials in Files",
-            "reference": "https://attack.mitre.org/techniques/T1081/"
-          }
-        ]
-      }
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Credential Manipulation - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
+    "risk_score": 73,
+    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.582Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.584Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies suspicious .NET code execution. connections.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "9cdaf1ee-7ab9-4ac9-b08e-8563c60d51e1",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious .NET Code Compilation",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(csc.exe or vbc.exe) and process.parent.name:(wscript.exe or mshta.exe or wscript.exe or wmic.exe or svchost.exe or rundll32.exe or cmstp.exe or regsvr32.exe)",
-    "references": [],
+    "name": "Credential Manipulation - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.",
+    "false_positives": [
+      "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "DNS Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or \"::1\" or \"ff02::fb\")",
+    "references": [
+      "https://www.us-cert.gov/ncas/alerts/TA15-240A",
+      "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
+    ],
+    "risk_score": 47,
+    "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1055",
-            "name": "Process Injection",
-            "reference": "https://attack.mitre.org/techniques/T1055/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.584Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "anomaly_threshold": 75,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.590Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "592d4534-7c49-4511-a056-6d65129384a6",
-    "immutable": true,
+    "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
+    "false_positives": [
+      "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
+    ],
+    "from": "now-45m",
     "interval": "15m",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_rare_metadata_user",
-    "max_signals": 100,
-    "name": "Unusual Linux User Calling the Metadata Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
+    "machine_learning_job_id": "packetbeat_dns_tunneling",
+    "name": "DNS Tunneling",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
     "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.590Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.600Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.",
     "from": "now-9m",
-    "id": "2ee50bf9-2697-40b9-bfcd-82fd430606ad",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious Managed Code Hosting Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)",
-    "references": [
-      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    "name": "Delete Volume USN Journal with Fsutil",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:fsutil.exe and process.args:(deletejournal and usn)",
+    "risk_score": 21,
+    "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -6684,644 +4771,543 @@
         },
         "technique": [
           {
-            "id": "T1055",
-            "name": "Process Injection",
-            "reference": "https://attack.mitre.org/techniques/T1055/"
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.600Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "anomaly_threshold": 25,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.646Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "73354a6b-a48b-433b-bc29-791086f7c109",
-    "immutable": true,
-    "interval": "15m",
+    "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_network_connection_discovery",
-    "max_signals": 100,
-    "name": "Unusual Linux Network Connection Discovery",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
+    "name": "Deleting Backup Catalogs with Wbadmin",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:wbadmin.exe and process.args:(catalog and delete)",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1049",
-            "name": "System Network Connections Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1049/"
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.646Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.671Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "7495a2fc-f02b-4db0-9b6b-73762a89889a",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "description": "Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Pub/Sub Subscription Creation",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
-    "references": ["https://cloud.google.com/pubsub/docs/overview"],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"],
+    "name": "Deletion of Bash Command Line History",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:rm AND process.args:/\\/(home\\/.{1,255}|root)\\/\\.bash_history/",
+    "risk_score": 47,
+    "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0009",
-          "name": "Collection",
-          "reference": "https://attack.mitre.org/tactics/TA0009/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1530",
-            "name": "Data from Cloud Storage Object",
-            "reference": "https://attack.mitre.org/techniques/T1530/"
+            "id": "T1146",
+            "name": "Clear Command History",
+            "reference": "https://attack.mitre.org/techniques/T1146/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.671Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.642Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.",
     "from": "now-9m",
-    "id": "eb41d5e8-0a38-4ffe-920f-0446d3cd0e2e",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "InstallUtil Process Making Network Connections",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "/* this can be done without a sequence however, this does include more info on the process */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name == \"installutil.exe\"]\n  [network where event.type == \"connection\" and process.name == \"installutil.exe\" and network.direction == \"outgoing\"]\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
+    "name": "Direct Outbound SMB Connection",
+    "query": "sequence by process.entity_id\n  [process where event.type == \"start\" and process.pid != 4]\n  [network where destination.port == 445 and process.pid != 4 and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
         },
         "technique": [
           {
-            "id": "T1118",
-            "name": "InstallUtil",
-            "reference": "https://attack.mitre.org/techniques/T1118/"
+            "id": "T1210",
+            "name": "Exploitation of Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1210/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.642Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.640Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "3b8adba3-a73a-47ed-940a-e956277ce4fc",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP IAM Service Account Key Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
-    "references": [
-      "https://cloud.google.com/iam/docs/service-accounts",
-      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
-    "severity": "low",
-    "severity_mapping": [],
+    "name": "Disable Windows Firewall Rules via Netsh",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state)",
+    "risk_score": 47,
+    "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9",
+    "severity": "medium",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.640Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.662Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "90b183a8-a4f8-42e8-8144-f1a3e7c7c584",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Storage Bucket Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.delete",
-    "references": ["https://cloud.google.com/storage/docs/key-terms#buckets"],
+    "name": "Encoding or Decoding Files via CertUtil",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode)",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
+    "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Monitoring"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1485",
-            "name": "Data Destruction",
-            "reference": "https://attack.mitre.org/techniques/T1485/"
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.662Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.651Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "24a239d1-49e2-4f28-a5ac-bd1a9295a2ac",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Pub/Sub Topic Creation",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
-    "references": ["https://cloud.google.com/pubsub/docs/admin"],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"],
-    "threat": [
+    "description": "Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
+    "enabled": true,
+    "exceptions_list": [
       {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0009",
-          "name": "Collection",
-          "reference": "https://attack.mitre.org/tactics/TA0009/"
-        },
-        "technique": [
-          {
-            "id": "T1530",
-            "name": "Data from Cloud Storage Object",
-            "reference": "https://attack.mitre.org/techniques/T1530/"
-          }
-        ]
+        "id": "endpoint_list",
+        "list_id": "endpoint_list",
+        "namespace_type": "agnostic",
+        "type": "endpoint"
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.651Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.661Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the password log file from the default Mimikatz memssp module.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "64d29a9e-c51f-453b-a184-1d3ee5ee5c70",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "from": "now-10m",
+    "index": [
+      "logs-endpoint.alerts-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Mimikatz Memssp Log File Detected",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
+    "max_signals": 10000,
+    "name": "Endpoint Security",
+    "query": "event.kind:alert and event.module:(endpoint and not endgame)",
+    "risk_score": 47,
+    "risk_score_mapping": [
       {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
-        },
-        "technique": [
-          {
-            "id": "T1003",
-            "name": "OS Credential Dumping",
-            "reference": "https://attack.mitre.org/techniques/T1003/"
-          }
-        ]
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
+    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
+      }
+    ],
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "timestamp_override": "event.ingested",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.661Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.678Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.",
     "false_positives": [
-      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+      "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "ee9e067e-45c3-4d19-8039-f483fb15b3e1",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Firewall Rule Modification",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.patch",
-    "references": ["https://cloud.google.com/vpc/docs/firewalls"],
+    "name": "Enumeration of Kernel Modules",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
+    "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Configuration Audit"
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1562",
-            "name": "Impair Defenses",
-            "reference": "https://attack.mitre.org/techniques/T1562/"
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.678Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "anomaly_threshold": 25,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.665Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "b85c767d-8905-4a86-b2f9-930c7f274600",
-    "immutable": true,
-    "interval": "15m",
+    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_network_configuration_discovery",
-    "max_signals": 100,
-    "name": "Unusual Linux System Network Configuration Discovery",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
+    "name": "Execution of File Written or Modified by Microsoft Office",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"WINWORD.EXE\" or\n      process.name : \"EXCEL.EXE\" or\n      process.name : \"OUTLOOK.EXE\" or\n      process.name : \"POWERPNT.EXE\" or\n      process.name : \"eqnedt32.exe\" or\n      process.name : \"fltldr.exe\" or\n      process.name : \"MSPUB.EXE\" or\n      process.name : \"MSACCESS.EXE\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
+    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1016",
-            "name": "System Network Configuration Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1016/"
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          },
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          },
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.665Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "eql",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.681Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "6b8b957e-a5e0-4c2b-89a6-f9a16f3c4993",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Pub/Sub Topic Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
-    "references": ["https://cloud.google.com/pubsub/docs/overview"],
+    "name": "Execution of File Written or Modified by PDF Reader",
+    "query": "sequence with maxspan=2h\n  [file where event.type != \"deletion\" and file.extension : \"exe\" and\n     (process.name : \"AcroRd32.exe\" or\n      process.name : \"rdrcef.exe\" or\n      process.name : \"FoxitPhantomPDF.exe\" or\n      process.name : \"FoxitReader.exe\") and\n     not (file.name : \"FoxitPhantomPDF.exe\" or\n          file.name : \"FoxitPhantomPDFUpdater.exe\" or\n          file.name : \"FoxitReader.exe\" or\n          file.name : \"FoxitReaderUpdater.exe\" or\n          file.name : \"AcroRd32.exe\" or\n          file.name : \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"],
+    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1562",
-            "name": "Impair Defenses",
-            "reference": "https://attack.mitre.org/techniques/T1562/"
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
+          },
+          {
+            "id": "T1192",
+            "name": "Spearphishing Link",
+            "reference": "https://attack.mitre.org/techniques/T1192/"
+          },
+          {
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.681Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "eql",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.657Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.",
     "from": "now-9m",
-    "id": "e3d3109c-8684-4c38-9615-2ca16ed80364",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Bypass UAC via Sdclt",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and process.name == \"sdclt.exe\" and\n     /* process.code_signature.* fields need to be populated for 7.10 */\n     process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n     process.args == \"/kickoffelev\"\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name == \"sdclt.exe\" and\n     process.executable not in (\"C:\\\\Windows\\\\System32\\\\sdclt.exe\",\n                                \"C:\\\\Windows\\\\System32\\\\control.exe\",\n                                \"C:\\\\Windows\\\\SysWOW64\\\\sdclt.exe\",\n                                \"C:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n  ] by process.parent.entity_id\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9b54e002-034a-47ac-9307-ad12c03fa900",
+    "name": "Execution via MSSQL xp_cmdshell Stored Procedure",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe",
+    "risk_score": 73,
+    "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1088",
-            "name": "Bypass User Account Control",
-            "reference": "https://attack.mitre.org/techniques/T1088/"
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.658Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.656Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.",
     "from": "now-9m",
-    "id": "0cfdf3ea-178a-4329-8a30-1505d99ce258",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Network Activity from a Windows System Binary",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     process.name in (\"bginfo.exe\",\n                      \"cdb.exe\",\n                      \"control.exe\",\n                      \"cmstp.exe\",\n                      \"csi.exe\",\n                      \"dnx.exe\",\n                      \"fsi.exe\",\n                      \"ieexec.exe\",\n                      \"iexpress.exe\",\n                      \"installutil.exe\",\n                      \"Microsoft.Workflow.Compiler.exe\",\n                      \"MSBuild.exe\",\n                      \"msdt.exe\",\n                      \"mshta.exe\",\n                      \"msiexec.exe\",\n                      \"msxsl.exe\",\n                      \"odbcconf.exe\",\n                      \"rcsi.exe\",\n                      \"regsvr32.exe\",\n                      \"xwizard.exe\")]\n  [network where event.type == \"connection\" and\n     process.name in (\"bginfo.exe\",\n                      \"cdb.exe\",\n                      \"control.exe\",\n                      \"cmstp.exe\",\n                      \"csi.exe\",\n                      \"dnx.exe\",\n                      \"fsi.exe\",\n                      \"ieexec.exe\",\n                      \"iexpress.exe\",\n                      \"installutil.exe\",\n                      \"Microsoft.Workflow.Compiler.exe\",\n                      \"MSBuild.exe\",\n                      \"msdt.exe\",\n                      \"mshta.exe\",\n                      \"msiexec.exe\",\n                      \"msxsl.exe\",\n                      \"odbcconf.exe\",\n                      \"rcsi.exe\",\n                      \"regsvr32.exe\",\n                      \"xwizard.exe\")]\n",
-    "references": [],
+    "name": "Execution via Regsvcs/Regasm",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "rule_id": "47f09343-8d1f-4bb5-8bb0-00c9d18f5010",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1121",
+            "name": "Regsvcs/Regasm",
+            "reference": "https://attack.mitre.org/techniques/T1121/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -7331,299 +5317,217 @@
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
-          }
+            "id": "T1121",
+            "name": "Regsvcs/Regasm",
+            "reference": "https://attack.mitre.org/techniques/T1121/"
+          }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.656Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.667Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
     ],
-    "from": "now-6m",
-    "id": "6fb42378-c534-4441-b33e-aca210eaef8e",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Virtual Private Cloud Route Creation",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
-    "references": [
-      "https://cloud.google.com/vpc/docs/routes",
-      "https://cloud.google.com/vpc/docs/using-routes"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
-    "severity": "low",
-    "severity_mapping": [],
+    "name": "Exploit - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+    "risk_score": 73,
+    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Configuration Audit"
+      "Endpoint Security"
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.667Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.648Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "4f66966b-304e-4b7a-a874-1a0de06a4b58",
-    "immutable": true,
-    "interval": "15m",
+    "description": "Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_rare_metadata_process",
-    "max_signals": 100,
-    "name": "Unusual Process Calling the Metadata Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.648Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "name": "Exploit - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
+    "risk_score": 47,
+    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.598Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "c8419b74-4130-43a8-a1b2-5686a8803107",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
+    "index": [
+      "apm-*-transaction*",
+      "auditbeat-*",
+      "filebeat-*",
+      "logs-*",
+      "packetbeat-*",
+      "winlogbeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 33,
-    "name": "Microsoft IIS Connection Strings Decryption",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe) and process.args:(connectionStrings and \"-pdf\")",
-    "references": [
-      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
-      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    "max_signals": 10000,
+    "name": "External Alerts",
+    "query": "event.kind:alert and not event.module:(endgame or endpoint)",
+    "risk_score": 47,
+    "risk_score_mapping": [
+      {
+        "field": "event.risk_score",
+        "operator": "equals",
+        "value": ""
+      }
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
+    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa",
+    "rule_name_override": "message",
+    "severity": "medium",
+    "severity_mapping": [
       {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
-        },
-        "technique": [
-          {
-            "id": "T1003",
-            "name": "OS Credential Dumping",
-            "reference": "https://attack.mitre.org/techniques/T1003/"
-          }
-        ]
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "low",
+        "value": "21"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "medium",
+        "value": "47"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "high",
+        "value": "73"
+      },
+      {
+        "field": "event.severity",
+        "operator": "equals",
+        "severity": "critical",
+        "value": "99"
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Windows",
+      "APM",
+      "macOS",
+      "Linux"
+    ],
+    "timestamp_override": "event.ingested",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.598Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.653Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.",
     "false_positives": [
-      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "90d86b47-0bf7-4cd1-b529-ed6638e274ad",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Logging Sink Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
-    "references": ["https://cloud.google.com/logging/docs/export"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"],
+    "name": "FTP (File Transfer Protocol) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(20 or 21) or event.dataset:zeek.ftp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 21,
+    "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1562",
-            "name": "Impair Defenses",
-            "reference": "https://attack.mitre.org/techniques/T1562/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.653Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.676Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of MS Office applications.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "54af43f9-6148-4342-bb6f-61934edf4295",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Execution of File Written or Modified by Microsoft Office",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence with maxspan=2h\n  [file where event.type != \"delete\" and file.extension == \"exe\" and\n     process.name in (\"winword.exe\",\n                      \"excel.exe\",\n                      \"outlook.exe\",\n                      \"powerpnt.exe\",\n                      \"eqnedt32.exe\",\n                      \"fltldr.exe\",\n                      \"mspub.exe\",\n                      \"msaccess.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
         },
         "technique": [
           {
-            "id": "T1064",
-            "name": "Scripting",
-            "reference": "https://attack.mitre.org/techniques/T1064/"
-          },
-          {
-            "id": "T1192",
-            "name": "Spearphishing Link",
-            "reference": "https://attack.mitre.org/techniques/T1192/"
-          },
-          {
-            "id": "T1193",
-            "name": "Spearphishing Attachment",
-            "reference": "https://attack.mitre.org/techniques/T1193/"
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.676Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.690Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
     "from": "now-9m",
-    "id": "1ce25092-8dbb-45f5-8fc6-08c31dd0caf9",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Child Processes of RunDLL32",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and\n\n     /* zero arguments excluding the binary itself (and accounting for when the binary may not be logged in args) */\n     ((process.args == \"rundll32.exe\" and process.args_count == 1) or\n      (process.args != \"rundll32.exe\" and process.args_count == 0))\n\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")\n  ] by process.parent.entity_id\n",
-    "references": [],
+    "name": "File Deletion via Shred",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -7634,245 +5538,193 @@
         },
         "technique": [
           {
-            "id": "T1085",
-            "name": "Rundll32",
-            "reference": "https://attack.mitre.org/techniques/T1085/"
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.691Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.687Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.",
+    "false_positives": [
+      "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."
+    ],
     "from": "now-9m",
-    "id": "a803814d-bd8c-49d1-b94a-66ace487c00c",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Installation of Custom Shim Databases",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "/* dependent on wildcard for registry.value */\n\nsequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n     not (process.name == \"sdbinst.exe\" and process.parent.name == \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n     wildcard(registry.path, \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\")]\n",
-    "references": [],
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "File Permission Modification in Writable Directory",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1138",
-            "name": "Application Shimming",
-            "reference": "https://attack.mitre.org/techniques/T1138/"
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.687Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "anomaly_threshold": 25,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.682Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for stealth.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
     "false_positives": [
-      "A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. Troubleshooting or debugging activity using unusual arguments could also trigger this detection."
+      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
     ],
-    "from": "now-45m",
-    "id": "a84716dc-c0c6-4c9d-b3e5-9603255e51ff",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_rare_kernel_module_arguments",
-    "max_signals": 100,
-    "name": "Anomalous Kernel Module Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": ["references"],
+    "name": "GCP Firewall Rule Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.insert",
+    "references": [
+      "https://cloud.google.com/vpc/docs/firewalls"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
+    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1215",
-            "name": "Kernel Modules and Extensions",
-            "reference": "https://attack.mitre.org/techniques/T1215/"
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.682Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.697Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "45284718-ef49-41da-b90a-afe8a1009c63",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
+    "false_positives": [
+      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Remote File Download via Desktopimgdownldr Utility",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
+    "name": "GCP Firewall Rule Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.delete",
     "references": [
-      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
+      "https://cloud.google.com/vpc/docs/firewalls"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1105",
-            "name": "Ingress Tool Transfer",
-            "reference": "https://attack.mitre.org/techniques/T1105/"
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.697Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 75,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.704Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "1e7905be-c768-45f1-b5d1-6319d840e2af",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "windows_rare_metadata_user",
-    "max_signals": 100,
-    "name": "Unusual Windows User Calling the Metadata Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.704Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.685Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
+    "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.",
     "false_positives": [
-      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-6m",
-    "id": "64b8ed5b-b8f2-448e-bdb4-4fb43e0afa0f",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Logging Bucket Deletion",
+    "name": "GCP Firewall Rule Modification",
     "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.patch",
     "references": [
-      "https://cloud.google.com/logging/docs/buckets",
-      "https://cloud.google.com/logging/docs/storage"
+      "https://cloud.google.com/vpc/docs/firewalls"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
+    "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -7890,200 +5742,206 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.685Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.587Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "e6e8e913-ab32-4365-9ebd-d03bd8df695d",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+    "false_positives": [
+      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Network Connection Sequence via RunDLL32",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and\n\n     /* zero arguments excluding the binary itself (and accounting for when the binary may not be logged in args) */\n     ((process.args == \"rundll32.exe\" and process.args_count == 1) or\n      (process.args != \"rundll32.exe\" and process.args_count == 0))]\n\n  [network where event.type == \"connection\" and\n     (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "2b347f66-6739-4ae3-bd94-195036dde8b3",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "GCP IAM Custom Role Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    ],
+    "risk_score": 47,
+    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1085",
-            "name": "Rundll32",
-            "reference": "https://attack.mitre.org/techniques/T1085/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.587Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.707Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
     "false_positives": [
-      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-6m",
-    "id": "c8866240-d153-40b7-8f0b-4fc5182bb4d8",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Logging Sink Modification",
+    "name": "GCP IAM Role Deletion",
     "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
     "references": [
-      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+      "https://cloud.google.com/iam/docs/understanding-roles"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1537",
-            "name": "Transfer Data to Cloud Account",
-            "reference": "https://attack.mitre.org/techniques/T1537/"
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.708Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.699Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "6e77002d-f0b0-4d8b-9d18-c4fe0f9bba41",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.",
+    "false_positives": [
+      "Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Remote File Copy via TeamViewer",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)",
+    "name": "GCP IAM Service Account Key Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success",
     "references": [
-      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
+    "risk_score": 21,
+    "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "threat": [
+      {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1105",
-            "name": "Ingress Tool Transfer",
-            "reference": "https://attack.mitre.org/techniques/T1105/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.699Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.702Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies registration utilities making outbound network connections. This includes regsvcs, regasm, and regsvr32. This may indicate adversarial activity as these tools are often leveraged by adversaries to execute code and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "eae4df08-b4a1-4561-960b-0e3af06ed090",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.",
+    "false_positives": [
+      "Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Registration Tool Making Network Connections",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and\n     process.name in (\"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\")]\n  [network where event.type == \"connection\" and process.name in (\"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\")]\nuntil\n  [process where event.type == \"end\" and process.name in (\"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\")]\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6",
+    "name": "GCP Logging Bucket Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/buckets",
+      "https://cloud.google.com/logging/docs/storage"
+    ],
+    "risk_score": 47,
+    "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -8094,454 +5952,345 @@
         },
         "technique": [
           {
-            "id": "T1121",
-            "name": "Regsvcs/Regasm",
-            "reference": "https://attack.mitre.org/techniques/T1121/"
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.703Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.611Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "2a61e488-89b8-4412-8f09-9b037b1d1b8c",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.",
+    "false_positives": [
+      "Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Remote SSH Login Enabled via systemsetup Command",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-f\" and \"-setremotelogin\" and on)",
+    "name": "GCP Logging Sink Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success",
     "references": [
-      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
-      "https://ss64.com/osx/systemsetup.html"
+      "https://cloud.google.com/logging/docs/export"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "MacOS"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.611Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.605Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "1aea61aa-b2e7-49c5-85dc-ad0f792cf688",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.",
+    "false_positives": [
+      "Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.args:(/autoclean or /AUTOCLEAN) and process.parent.name:svchost.exe and not process.executable:(\"C:\\Windows\\System32\\cleanmgr.exe\" or \"C:\\Windows\\SysWOW64\\cleanmgr.exe\")",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "GCP Logging Sink Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/logging/docs/export#how_sinks_work"
+    ],
+    "risk_score": 21,
+    "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Log Auditing"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
         },
         "technique": [
           {
-            "id": "T1088",
-            "name": "Bypass User Account Control",
-            "reference": "https://attack.mitre.org/techniques/T1088/"
+            "id": "T1537",
+            "name": "Transfer Data to Cloud Account",
+            "reference": "https://attack.mitre.org/techniques/T1537/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.606Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.709Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "269b1abe-ce73-4f7b-9639-b3903a6d2edc",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
+    "false_positives": [
+      "Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Automation Webhook Created",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:Success",
+    "name": "GCP Pub/Sub Subscription Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
     "references": [
-      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
-      "https://github.com/hausec/PowerZure",
-      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
-      "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"
+      "https://cloud.google.com/pubsub/docs/overview"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62",
+    "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
+      "Cloud",
+      "GCP",
       "Continuous Monitoring",
       "SecOps",
-      "Configuration Audit"
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
+        },
+        "technique": [
+          {
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
+          }
+        ]
+      }
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now-25m",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.709Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.673Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
     "false_positives": [
-      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-6m",
-    "id": "fe8c637f-570a-433e-8f38-0bc777ac32da",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Storage Bucket Configuration Modification",
+    "name": "GCP Pub/Sub Subscription Deletion",
     "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success",
-    "references": ["https://cloud.google.com/storage/docs/key-terms#buckets"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
-    "severity": "medium",
-    "severity_mapping": [],
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/pubsub/docs/overview"
+    ],
+    "risk_score": 21,
+    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
+    "severity": "low",
     "tags": [
       "Elastic",
+      "Cloud",
       "GCP",
       "Continuous Monitoring",
       "SecOps",
-      "Identity and Access"
+      "Log Auditing"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
+          }
+        ]
+      }
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.673Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.632Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "dc81703a-e957-468f-b468-578e26485146",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.",
+    "false_positives": [
+      "Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Conditional Access Policy Modified",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Update policy\" or azure.auditlogs.operation_name:\"Update policy\" ) and event.outcome:success",
+    "name": "GCP Pub/Sub Topic Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"
+      "https://cloud.google.com/pubsub/docs/admin"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20",
-    "severity": "medium",
-    "severity_mapping": [],
+    "risk_score": 21,
+    "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5",
+    "severity": "low",
     "tags": [
       "Elastic",
-      "Azure",
+      "Cloud",
+      "GCP",
       "Continuous Monitoring",
       "SecOps",
-      "Configuration Audit"
+      "Log Auditing"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0009",
+          "name": "Collection",
+          "reference": "https://attack.mitre.org/tactics/TA0009/"
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1530",
+            "name": "Data from Cloud Storage Object",
+            "reference": "https://attack.mitre.org/techniques/T1530/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.632Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.625Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "aade14b5-ca2a-48aa-b1dc-e3c2c6485927",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Automation Runbook Deleted",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:Success",
-    "references": [
-      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
-      "https://github.com/hausec/PowerZure",
-      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
-      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+    "author": [
+      "Elastic"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": [
-      "Elastic",
-      "Azure",
-      "Continuous Monitoring",
-      "SecOps",
-      "Configuration Audit"
+    "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.",
+    "false_positives": [
+      "Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.625Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.630Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "e7a7775c-d9db-4d9f-a391-8a3b95493a3b",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Automation Runbook Created or Modified",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:Success",
+    "name": "GCP Pub/Sub Topic Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success",
     "references": [
-      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
-      "https://github.com/hausec/PowerZure",
-      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
-      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+      "https://cloud.google.com/pubsub/docs/overview"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f",
+    "rule_id": "3202e172-01b1-4738-a932-d024c514ba72",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
+      "Cloud",
+      "GCP",
       "Continuous Monitoring",
       "SecOps",
-      "Configuration Audit"
+      "Log Auditing"
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.630Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.738Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "1ae8b9da-fd42-4411-aebf-f72c1471ddce",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Persistence via Update Orchestrator Service Hijack",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)",
-    "references": ["https://github.com/irsl/CVE-2020-1313"],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1050",
-            "name": "New Service",
-            "reference": "https://attack.mitre.org/techniques/T1050/"
+            "id": "T1562",
+            "name": "Impair Defenses",
+            "reference": "https://attack.mitre.org/techniques/T1562/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.739Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.736Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "848ad093-0fbd-4402-8e77-f95957e23eb1",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
+    "false_positives": [
+      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "User Added as Owner for Azure Application",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:Success",
-    "references": [],
+    "name": "GCP Service Account Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
+    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
+      "Cloud",
+      "GCP",
       "Continuous Monitoring",
       "SecOps",
-      "Configuration Audit"
+      "Identity and Access"
     ],
     "threat": [
       {
@@ -8553,315 +6302,276 @@
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.736Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.761Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "dd75d318-0f94-463d-bbec-6ce80c61cd2d",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Execution of File Written or Modified by PDF Reader",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence with maxspan=2h\n  [file where event.type != \"delete\" and file.extension == \"exe\" and\n     process.name in (\"acrord32.exe\", \"rdrcef.exe\", \"foxitphantomPDF.exe\", \"foxitreader.exe\") and\n     file.name not in (\"foxitphantomPDF.exe\",\n                       \"FoxitPhantomPDFUpdater.exe\",\n                       \"foxitreader.exe\",\n                       \"FoxitReaderUpdater.exe\",\n                       \"acrord32.exe\",\n                       \"rdrcef.exe\")\n  ] by host.id, file.path\n  [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "GCP Service Account Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1064",
-            "name": "Scripting",
-            "reference": "https://attack.mitre.org/techniques/T1064/"
-          },
-          {
-            "id": "T1192",
-            "name": "Spearphishing Link",
-            "reference": "https://attack.mitre.org/techniques/T1192/"
-          },
-          {
-            "id": "T1193",
-            "name": "Spearphishing Attachment",
-            "reference": "https://attack.mitre.org/techniques/T1193/"
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.761Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.759Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "81b46923-480f-4f2d-87ea-a0923bc17b69",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
+    "false_positives": [
+      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious WMIC XSL Script Execution",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "/* lots of wildcards in the args\n   need to verify args cleanup is accurate\n*/\n\nsequence by process.entity_id with maxspan=2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name == \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n   wildcard(process.args, \"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not process.args in (\"/format:table\", \"/format:table\") or wildcard(process.args, \"format*:*\")]\n[library where event.type == \"start\" and file.name in (\"jscript.dll\", \"vbscript.dll\")]\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "name": "GCP Service Account Disabled",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/iam/docs/service-accounts"
+    ],
+    "risk_score": 47,
+    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1220",
-            "name": "XSL Script Processing",
-            "reference": "https://attack.mitre.org/techniques/T1220/"
+            "id": "T1531",
+            "name": "Account Access Removal",
+            "reference": "https://attack.mitre.org/techniques/T1531/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.759Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.615Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
     "false_positives": [
-      "Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-25m",
-    "id": "22e9ff2d-d54b-4f44-90bb-63945f219bf7",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure External Guest User Invitation",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:Success",
+    "name": "GCP Service Account Key Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"
+      "https://cloud.google.com/iam/docs/service-accounts",
+      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e",
+    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
-      "SecOps",
+      "Cloud",
+      "GCP",
       "Continuous Monitoring",
+      "SecOps",
       "Identity and Access"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.615Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.604Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.",
     "false_positives": [
-      "Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-25m",
-    "id": "064ee4f5-712d-4f84-9955-f2e32b4d598f",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Event Hub Authorization Rule Created or Updated",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success",
+    "name": "GCP Storage Bucket Configuration Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d",
+    "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.",
+    "false_positives": [
+      "Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Storage Bucket Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.buckets.delete",
+    "references": [
+      "https://cloud.google.com/storage/docs/key-terms#buckets"
+    ],
+    "risk_score": 47,
+    "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0009",
-          "name": "Collection",
-          "reference": "https://attack.mitre.org/tactics/TA0009/"
-        },
-        "technique": [
-          {
-            "id": "T1530",
-            "name": "Data from Cloud Storage Object",
-            "reference": "https://attack.mitre.org/techniques/T1530/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1537",
-            "name": "Transfer Data to Cloud Account",
-            "reference": "https://attack.mitre.org/techniques/T1537/"
+            "id": "T1485",
+            "name": "Data Destruction",
+            "reference": "https://attack.mitre.org/techniques/T1485/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.604Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.748Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
     "false_positives": [
-      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-60m",
-    "id": "03ed2d90-a71c-4346-a4a8-81f20082887b",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "High Number of Okta User Password Reset or Unlock Attempts",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+    "name": "GCP Storage Bucket Permissions Modification",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:storage.setIamPermissions and event.outcome:success",
     "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
+      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
+    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
+      "Cloud",
+      "GCP",
       "Continuous Monitoring",
       "SecOps",
       "Identity and Access"
@@ -8876,187 +6586,198 @@
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
           }
         ]
       }
     ],
-    "threshold": {
-      "field": "okta.actor.id",
-      "value": 5
-    },
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "threshold",
-    "updated_at": "2020-10-07T10:12:04.748Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.775Z",
-    "created_by": "tudor@elastic.co",
+    "author": [
+      "Elastic"
+    ],
     "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.",
-    "enabled": false,
-    "exceptions_list": [],
     "false_positives": [
       "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
     ],
-    "from": "now-6m",
-    "id": "957f3a3f-cf53-41d4-9f17-81f048177f41",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
     "name": "GCP Virtual Private Cloud Network Deletion",
     "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
     "query": "event.dataset:googlecloud.audit and event.action:v*.compute.networks.delete and event.outcome:success",
-    "references": ["https://cloud.google.com/vpc/docs/vpc"],
+    "references": [
+      "https://cloud.google.com/vpc/docs/vpc"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
     "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
+      "Cloud",
       "GCP",
       "Continuous Monitoring",
       "SecOps",
       "Configuration Audit"
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.775Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.743Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.",
     "false_positives": [
-      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+      "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
     ],
-    "from": "now-6m",
-    "id": "8a53c00f-4caf-4507-aaa7-ac40042ef5a4",
-    "immutable": true,
-    "index": ["packetbeat-*"],
-    "interval": "5m",
-    "language": "lucene",
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Public IP Reconnaissance Activity",
-    "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer",
+    "name": "GCP Virtual Private Cloud Route Creation",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:(v*.compute.routes.insert or beta.compute.routes.insert)",
     "references": [
-      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
-      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8",
     "severity": "low",
-    "severity_mapping": [],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
+    "false_positives": [
+      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    ],
+    "index": [
+      "filebeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "GCP Virtual Private Cloud Route Deletion",
+    "note": "The GCP Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.routes.delete and event.outcome:success",
+    "references": [
+      "https://cloud.google.com/vpc/docs/routes",
+      "https://cloud.google.com/vpc/docs/using-routes"
+    ],
+    "risk_score": 47,
+    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "GCP",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.",
+    "false_positives": [
+      "This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Halfbaked Command and Control Beacon",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://attack.mitre.org/software/S0151/"
+    ],
+    "risk_score": 73,
+    "rule_id": "2e580225-2a58-48ef-938b-572933be06fe",
+    "severity": "high",
     "tags": [
       "Elastic",
       "Network",
-      "Threat Detection, Preventing and Hunting",
-      "Post-Execution"
+      "Threat Detection",
+      "Command and Control"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1016",
-            "name": "System Network Configuration Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1016/"
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
+          },
+          {
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.743Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.745Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.",
+    "false_positives": [
+      "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."
+    ],
     "from": "now-9m",
-    "id": "0fdac883-5bbe-4351-8691-d1f0ba039680",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Executable File Creation by a System Critical Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Hex Encoding/Decoding Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)",
+    "risk_score": 21,
+    "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -9067,53 +6788,12 @@
         },
         "technique": [
           {
-            "id": "T1211",
-            "name": "Exploitation for Defense Evasion",
-            "reference": "https://attack.mitre.org/techniques/T1211/"
+            "id": "T1140",
+            "name": "Deobfuscate/Decode Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1140/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.745Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.721Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
-    ],
-    "from": "now-25m",
-    "id": "73fb4b6f-ac2a-4ea7-b08e-3b11cd4eb9c9",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Network Watcher Deletion",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success",
-    "references": [
-      "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Network"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -9123,55 +6803,65 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1027",
+            "name": "Obfuscated Files or Information",
+            "reference": "https://attack.mitre.org/techniques/T1027/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.721Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.609Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "7f48213e-7e7c-4bea-8a87-05c2348bca48",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their target's environment and evade detection.",
+    "false_positives": [
+      "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."
+    ],
+    "from": "now-60m",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Multi-Factor Authentication Disabled for an Azure User",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:Success",
-    "references": [],
+    "name": "High Number of Okta User Password Reset or Unlock Attempts",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or user.account.unlock_token)",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
+    "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
+      "Identity",
+      "Okta",
       "Continuous Monitoring",
       "SecOps",
       "Identity and Access"
     ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -9181,310 +6871,345 @@
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.609Z",
-    "updated_by": "tudor@elastic.co",
+    "threshold": {
+      "field": "okta.actor.id",
+      "value": 5
+    },
+    "type": "threshold",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.715Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."
+    "author": [
+      "Elastic"
+    ],
+    "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-25m",
-    "id": "5ee8e1e1-f80c-4542-80da-18736e96611b",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Storage Account Key Regenerated",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success",
+    "name": "Hosts File Modified",
+    "note": "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.",
+    "query": "event.category:file and event.type:(change or creation) and file.path:(\"/private/etc/hosts\" or \"/etc/hosts\" or \"C:\\Windows\\System32\\drivers\\etc\\hosts\")",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"
+      "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908",
-    "severity": "low",
-    "severity_mapping": [],
+    "risk_score": 47,
+    "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c",
+    "severity": "medium",
     "tags": [
-      "Azure",
       "Elastic",
-      "SecOps",
-      "Continuous Monitoring",
-      "Identity and Access"
+      "Host",
+      "Linux",
+      "Windows",
+      "macOS",
+      "Threat Detection",
+      "Impact"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1528",
-            "name": "Steal Application Access Token",
-            "reference": "https://attack.mitre.org/techniques/T1528/"
+            "id": "T1492",
+            "name": "Stored Data Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1492/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.715Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.635Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.",
+    "false_positives": [
+      "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
     "from": "now-9m",
-    "id": "2daae15c-4b21-4bff-b0c1-449a31bbfc01",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Persistence via TelemetryController Scheduled Task Hijack",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)",
+    "name": "Hping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)",
     "references": [
-      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
+      "https://en.wikipedia.org/wiki/Hping"
     ],
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "IIS HTTP Logging Disabled",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) and process.args:/dontLog\\:\\\"True\\\" and not process.parent.name:iissetup.exe",
+    "risk_score": 73,
+    "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1053",
-            "name": "Scheduled Task/Job",
-            "reference": "https://attack.mitre.org/techniques/T1053/"
+            "id": "T1070",
+            "name": "Indicator Removal on Host",
+            "reference": "https://attack.mitre.org/techniques/T1070/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.635Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.795Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.",
     "false_positives": [
-      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+      "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."
     ],
-    "from": "now-45m",
-    "id": "e91504aa-3e05-45f1-9597-42dae6649079",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "windows_rare_metadata_process",
-    "max_signals": 100,
-    "name": "Unusual Windows Process Calling the Metadata Service",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
+    "name": "IPSEC NAT Traversal Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "ML", "Windows"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.795Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.773Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "fb534096-0e42-41a7-b573-598edd385cfe",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Parent Process for cmd.exe",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1059",
-            "name": "Command and Scripting Interpreter",
-            "reference": "https://attack.mitre.org/techniques/T1059/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.773Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.692Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "247360f2-3112-4848-a1e3-5c9f7f55cc2e",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.",
+    "false_positives": [
+      "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Service Command Lateral Movement",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "/* dependent on a wildcard for remote path */\n\nsequence by process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n     (process.name == \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n     wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath*\", \"binpath*\") and\n     process.args in (\"create\", \"config\", \"failure\", \"start\")]\n  [network where event.type == \"connection\" and process.name == \"sc.exe\" and destination.address != \"127.0.0.1\"]\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
-          },
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
           {
-            "id": "T1050",
-            "name": "New Service",
-            "reference": "https://attack.mitre.org/techniques/T1050/"
-          },
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.",
+    "false_positives": [
+      "If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "name": "Inbound Connection to an Unsecure Elasticsearch Node",
+    "note": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.",
+    "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization",
+    "references": [
+      "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
+      "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"
+    ],
+    "risk_score": 47,
+    "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
           {
-            "id": "T1035",
-            "name": "Service Execution",
-            "reference": "https://attack.mitre.org/techniques/T1035/"
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.692Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "query",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.713Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.",
     "from": "now-9m",
-    "id": "7fe8198e-9038-4fa7-a035-bf42e0a1c2a0",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
     "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Mshta Making Network Connections",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and process.name == \"mshta.exe\" and\n     process.parent.name != \"Microsoft.ConfigurationManagement.exe\" and\n     process.parent.executable not in (\"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\",\n                                       \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     process.args != \"ADSelfService_Enroll.hta\"]\n  [network where process.name == \"mshta.exe\"]\n",
-    "references": [],
+    "name": "InstallUtil Process Making Network Connections",
+    "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n  [network where process.name : \"installutil.exe\" and network.direction == \"outgoing\"]\n",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -9495,223 +7220,176 @@
         },
         "technique": [
           {
-            "id": "T1170",
-            "name": "Mshta",
-            "reference": "https://attack.mitre.org/techniques/T1170/"
+            "id": "T1118",
+            "name": "InstallUtil",
+            "reference": "https://attack.mitre.org/techniques/T1118/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.714Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.753Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Legit Application Crash with rare Werfault commandline value"
+    "author": [
+      "Elastic"
     ],
+    "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
     "from": "now-9m",
-    "id": "72efa599-476d-430b-9d56-3640a773ecb6",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Process Potentially Masquerading as WerFault",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:WerFault.exe and not process.args:(((\"-u\" or \"-pss\") and \"-p\" and \"-s\") or (\"/h\" and \"/shared\") or (\"-k\" and \"-lcq\"))",
-    "references": [
-      "https://twitter.com/SBousseaden/status/1235533224337641473",
-      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/"
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Installation of Custom Shim Databases",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n     not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n  [registry where event.type in (\"creation\", \"change\") and\n     wildcard(registry.path, \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\")]\n",
+    "risk_score": 21,
+    "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1036",
-            "name": "Masquerading",
-            "reference": "https://attack.mitre.org/techniques/T1036/"
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.753Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "eql",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.788Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "b799b8f5-bf71-4b01-b78e-dfb4b4e2b269",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Global Administrator Role Addition to PIM User",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or \"Add member to role in PIM completed (timebound)\") and azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and event.outcome:Success",
-    "references": [
-      "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"
-    ],
+    "name": "Interactive Terminal Spawned via Perl",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8",
+    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
     "severity": "high",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.788Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.769Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-25m",
-    "id": "f2945b32-7d9a-471e-a1de-0d0626ff7606",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Firewall Policy Deletion",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success",
-    "references": [
-      "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"
+    "name": "Interactive Terminal Spawned via Python",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
+    "risk_score": 73,
+    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Execution"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Network"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.769Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.755Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.",
     "from": "now-9m",
-    "id": "ee4fb79a-37d0-4402-982f-7beaa3e40eb0",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "lucene",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 33,
-    "name": "Microsoft IIS Service Account Password Dumped",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process AND event.type:(start OR process_started) AND (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\\/[tT][eE][xX][tT]\\:[pP][aA][sS][sS][wW][oO][rR][dD]/)",
+    "name": "Kerberos Cached Credentials Dumping",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache",
     "references": [
-      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
+      "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
+      "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"
     ],
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Credential Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -9729,334 +7407,291 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.755Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.781Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.",
     "false_positives": [
-      "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+      "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "a601151a-8c49-4f76-896e-46e17963dbd6",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Virtual Private Cloud Route Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.routes.delete and event.outcome:success",
+    "name": "Kernel Module Removal",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))",
     "references": [
-      "https://cloud.google.com/vpc/docs/routes",
-      "https://cloud.google.com/vpc/docs/using-routes"
+      "http://man7.org/linux/man-pages/man8/modprobe.8.html"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a",
-    "severity": "medium",
-    "severity_mapping": [],
+    "risk_score": 73,
+    "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Configuration Audit"
-    ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.781Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.684Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "e88255da-1dff-446d-8412-73d695d25980",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Remote File Download via MpCmdRun",
-    "note": "### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
-    "references": [
-      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
-      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1105",
-            "name": "Ingress Tool Transfer",
-            "reference": "https://attack.mitre.org/techniques/T1105/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.684Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.765Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.",
+    "false_positives": [
+      "Legitimate scheduled tasks may be created during installation of new software."
+    ],
     "from": "now-9m",
-    "id": "c1f156db-a3be-4c9b-a37e-989e521f481a",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "lucene",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Renamed AutoIt Scripts Interpreter",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process AND event.type:(start OR process_started) AND process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/ AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\\d{1,3}\\.[eE][xX][eE]/",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Local Scheduled Task Commands",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
+    "risk_score": 21,
+    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1036",
-            "name": "Masquerading",
-            "reference": "https://attack.mitre.org/techniques/T1036/"
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.765Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.793Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
     "from": "now-9m",
-    "id": "c8daca10-6ec6-423d-946e-a3decae0e412",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "MsXsl Making Network Connections",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name == \"msxsl.exe\"]\n  [network where event.type == \"connection\" and process.name == \"msxsl.exe\" and network.direction == \"outgoing\"]\n",
-    "references": [],
+    "name": "Local Service Commands",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "870d1753-1078-403e-92d4-735f142edcca",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1220",
-            "name": "XSL Script Processing",
-            "reference": "https://attack.mitre.org/techniques/T1220/"
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.793Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.770Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
     ],
-    "from": "now-6m",
-    "id": "3aa26bfe-d421-4d46-8003-01468673b401",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Storage Bucket Permissions Modification",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:storage.setIamPermissions and event.outcome:success",
-    "references": [
-      "https://cloud.google.com/storage/docs/access-control/iam-permissions"
+    "name": "Malware - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+    "risk_score": 99,
+    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d",
-    "severity": "medium",
-    "severity_mapping": [],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Malware - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
+    "risk_score": 73,
+    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
+    "query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
+    "risk_score": 73,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1222",
-            "name": "File and Directory Permissions Modification",
-            "reference": "https://attack.mitre.org/techniques/T1222/"
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.770Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.750Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "7b50aaf8-575c-45c8-8657-7bca9cc399bd",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Automation Account Created",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:Success",
+    "name": "Microsoft Build Engine Started an Unusual Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe)",
     "references": [
-      "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor",
-      "https://github.com/hausec/PowerZure",
-      "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
-      "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "df26fd74-1baa-4479-b42e-48da84642330",
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
-      "Azure",
-      "Continuous Monitoring",
       "Elastic",
-      "Identity and Access",
-      "SecOps"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -10066,47 +7701,43 @@
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1500",
+            "name": "Compile After Delivery",
+            "reference": "https://attack.mitre.org/techniques/T1500/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.750Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.644Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
     "from": "now-9m",
-    "id": "4cf00bcf-3518-41b2-b641-11b5be3f8127",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Child Process from a System Virtual Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Microsoft Build Engine Started by a Script Process",
+    "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -10117,54 +7748,18 @@
         },
         "technique": [
           {
-            "id": "T1055",
-            "name": "Process Injection",
-            "reference": "https://attack.mitre.org/techniques/T1055/"
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.644Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.764Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "92956d06-5f23-4026-80af-8bf14f7ffecb",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "MsBuild Network Connection Sequence",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.name == \"MSBuild.exe\"]\n  [network where process.name == \"MSBuild.exe\" and\n     not (destination.address == \"127.0.0.1\" and source.address == \"127.0.0.1\")]\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
@@ -10175,43 +7770,36 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.764Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.659Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.",
     "false_positives": [
-      "Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "7c8cfbb3-d6ed-43af-b35d-3e48ba0dcc48",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Pub/Sub Subscription Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success",
-    "references": ["https://cloud.google.com/pubsub/docs/overview"],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"],
+    "name": "Microsoft Build Engine Started by a System Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
+    "risk_score": 47,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -10222,47 +7810,61 @@
         },
         "technique": [
           {
-            "id": "T1562",
-            "name": "Impair Defenses",
-            "reference": "https://attack.mitre.org/techniques/T1562/"
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.659Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.607Z",
-    "created_by": "tudor@elastic.co",
-    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+    ],
     "from": "now-9m",
-    "id": "aa6628b9-8964-4ba6-b977-318e88ccc1c9",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious Endpoint Security Parent Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(esensor.exe or \"elastic-endpoint.exe\" or \"elastic-agent.exe\") and not process.parent.executable:\"C:\\Windows\\System32\\services.exe\"",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Microsoft Build Engine Started by an Office Application",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
+    "references": [
+      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -10273,100 +7875,58 @@
         },
         "technique": [
           {
-            "id": "T1036",
-            "name": "Masquerading",
-            "reference": "https://attack.mitre.org/techniques/T1036/"
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.607Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "anomaly_threshold": 75,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.757Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
-    ],
-    "from": "now-45m",
-    "id": "d692f084-e564-4618-9566-ca2751b81463",
-    "immutable": true,
-    "interval": "15m",
-    "license": "Elastic License",
-    "machine_learning_job_id": "linux_system_information_discovery",
-    "max_signals": 100,
-    "name": "Unusual Linux System Information Discovery Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1082",
-            "name": "System Information Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1082/"
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.757Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "anomaly_threshold": 75,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.591Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.",
     "false_positives": [
-      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
     ],
-    "from": "now-45m",
-    "id": "9c19fe8e-d6ff-44c7-b380-29d7f579cdc4",
-    "immutable": true,
-    "interval": "15m",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_rare_sudo_user",
-    "max_signals": 100,
-    "name": "Unusual Sudo Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
+    "name": "Microsoft Build Engine Using an Alternate Name",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -10377,169 +7937,92 @@
         },
         "technique": [
           {
-            "id": "T1548",
-            "name": "Abuse Elevation Control Mechanism",
-            "reference": "https://attack.mitre.org/techniques/T1548/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
-        },
-        "technique": [
-          {
-            "id": "T1548",
-            "name": "Abuse Elevation Control Mechanism",
-            "reference": "https://attack.mitre.org/techniques/T1548/"
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.591Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.679Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "2287fe13-debb-4cf1-89cd-51536c5d8783",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Service Account Creation",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success",
-    "references": ["https://cloud.google.com/iam/docs/service-accounts"],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623",
-    "severity": "low",
-    "severity_mapping": [],
+    "max_signals": 33,
+    "name": "Microsoft IIS Connection Strings Decryption",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or winlog.event_data.OriginalFileName:aspnet_regiis.exe) and process.args:(connectionStrings and \"-pdf\")",
+    "references": [
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+      "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"
+    ],
+    "risk_score": 73,
+    "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1136",
-            "name": "Create Account",
-            "reference": "https://attack.mitre.org/techniques/T1136/"
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.679Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.706Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the course of troubleshooting or fixing a software issue."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "52fa49aa-6917-4492-b174-3abd260689d6",
-    "immutable": true,
-    "interval": "15m",
+    "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_rare_user_compiler",
-    "max_signals": 100,
-    "name": "Anomalous Linux Compiler Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.706Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.791Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
-    ],
-    "from": "now-6m",
-    "id": "686587c7-0644-4906-bc57-d16dc5ced965",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Service Account Key Creation",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success",
+    "max_signals": 33,
+    "name": "Microsoft IIS Service Account Password Dumped",
+    "query": "event.category:process AND event.type:(start OR process_started) AND (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or winlog.event_data.OriginalFileName:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\\/[tT][eE][xX][tT]\\:[pP][aA][sS][sS][wW][oO][rR][dD]/)",
     "references": [
-      "https://cloud.google.com/iam/docs/service-accounts",
-      "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"
+      "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1",
-    "severity": "low",
-    "severity_mapping": [],
+    "risk_score": 73,
+    "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
     ],
     "threat": [
       {
@@ -10551,73 +8034,117 @@
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.791Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.725Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "bf37c0e9-3a26-4863-8ed1-ee2ed529cc92",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the password log file from the default Mimikatz memssp module.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Privilege Identity Management Role Modified",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:Success",
-    "references": [
-      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
-      "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80",
-    "severity": "medium",
-    "severity_mapping": [],
+    "name": "Mimikatz Memssp Log File Detected",
+    "query": "event.category:file and file.name:mimilsa.log and process.name:lsass.exe",
+    "risk_score": 73,
+    "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "Azure",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Credential Access"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1003",
+            "name": "OS Credential Dumping",
+            "reference": "https://attack.mitre.org/techniques/T1003/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.",
+    "false_positives": [
+      "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Mknod Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:mknod",
+    "references": [
+      "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/"
+    ],
+    "risk_score": 21,
+    "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Modification of Boot Configuration",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled))",
+    "risk_score": 21,
+    "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -10627,351 +8154,343 @@
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.725Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.602Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-180m",
-    "id": "1aaea48a-e3db-4e0e-88fe-00310a201fb1",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempts to Brute Force an Okta User Account",
+    "name": "Modification or Removal of an Okta Application Sign-On Policy",
     "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:user.account.lock",
+    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
     "references": [
       "https://developer.okta.com/docs/reference/api/system-log/",
       "https://developer.okta.com/docs/reference/api/event-types/"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49",
+    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
+      "Identity",
       "Okta",
       "Continuous Monitoring",
       "SecOps",
       "Identity and Access"
     ],
+    "type": "query",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "MsBuild Making Network Connections",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n  [network where process.name : \"MSBuild.exe\" and\n     not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n",
+    "risk_score": 47,
+    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1110",
-            "name": "Brute Force",
-            "reference": "https://attack.mitre.org/techniques/T1110/"
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
           }
         ]
       }
     ],
-    "threshold": {
-      "field": "okta.actor.id",
-      "value": 3
-    },
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "threshold",
-    "updated_at": "2020-10-07T10:12:04.602Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.701Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "676f8fa3-d14b-4bd6-8445-4ed9960cc49c",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP IAM Role Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success",
-    "references": ["https://cloud.google.com/iam/docs/understanding-roles"],
+    "name": "Mshta Making Network Connections",
+    "query": "sequence by process.entity_id with maxspan=2h\n  [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n     not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n     not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n          process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n     not process.args : \"ADSelfService_Enroll.hta\"]\n  [network where process.name : \"mshta.exe\"]\n",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd",
-    "severity": "low",
-    "severity_mapping": [],
+    "rule_id": "c2d90150-0133-451c-a783-533e736c12d7",
+    "severity": "medium",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1531",
-            "name": "Account Access Removal",
-            "reference": "https://attack.mitre.org/techniques/T1531/"
+            "id": "T1170",
+            "name": "Mshta",
+            "reference": "https://attack.mitre.org/techniques/T1170/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.701Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "eql",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.762Z",
-    "created_by": "tudor@elastic.co",
-    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": ["Custom Windows Error Reporting Debugger"],
-    "from": "now-9m",
-    "id": "206acdc2-e3ca-4343-9762-eee2c9ea0162",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious WerFault Child Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)",
-    "references": [
-      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
-      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx"
-    ],
+    "name": "Multi-Factor Authentication Disabled for an Azure User",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:Success",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1036",
-            "name": "Masquerading",
-            "reference": "https://attack.mitre.org/techniques/T1036/"
-          }
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
+          }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.762Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.767Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.",
     "from": "now-9m",
-    "id": "d339caf6-4114-4738-bbdb-dbd7d68b1551",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious Process from Conhost",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe",
-    "references": [
-      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
-      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    "name": "Net command via SYSTEM account",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
+    "risk_score": 21,
+    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1055",
-            "name": "Process Injection",
-            "reference": "https://attack.mitre.org/techniques/T1055/"
+            "id": "T1087",
+            "name": "Account Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1087/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.767Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.747Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.",
     "false_positives": [
-      "Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."
     ],
-    "from": "now-25m",
-    "id": "c4c51f02-acb7-48f7-9004-54ca93618144",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Event Hub Deletion",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:Success",
+    "name": "Netcat Network Activity",
+    "query": "sequence by process.entity_id\n  [process where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\") and\n     event.type == \"start\"]\n  [network where (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n                  process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
-      "https://azure.microsoft.com/en-in/services/event-hubs/",
-      "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"
+      "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+      "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+      "https://en.wikipedia.org/wiki/Netcat"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053",
+    "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via Certutil",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.747Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.751Z",
-    "created_by": "tudor@elastic.co",
-    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": ["New Zoom Executable"],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
     "from": "now-9m",
-    "id": "f519c9ea-d081-461b-a6ac-6e4a3f89f6fe",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious Zoom Child Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:Zoom.exe and not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Network Connection via Compiled HTML File",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"hh.exe\" and event.type == \"start\"]\n  [network where process.name : \"hh.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1036",
-            "name": "Masquerading",
-            "reference": "https://attack.mitre.org/techniques/T1036/"
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
           }
         ]
       },
@@ -10984,134 +8503,103 @@
         },
         "technique": [
           {
-            "id": "T1055",
-            "name": "Process Injection",
-            "reference": "https://attack.mitre.org/techniques/T1055/"
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.752Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.674Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "e9f8f5e0-ac8d-4362-ba0b-bf216d098cb6",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP IAM Custom Role Creation",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success",
-    "references": [
-      "https://cloud.google.com/iam/docs/understanding-custom-roles"
+    "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
-    "severity": "medium",
-    "severity_mapping": [],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Network Connection via MsXsl",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"msxsl.exe\" and event.type == \"start\"]\n  [network where process.name : \"msxsl.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5",
+    "severity": "low",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.675Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.649Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
     "false_positives": [
-      "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
     ],
-    "from": "now-6m",
-    "id": "d4926e73-81fb-4bc8-bfb5-9918c08ec418",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Firewall Rule Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.delete",
-    "references": ["https://cloud.google.com/vpc/docs/firewalls"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1",
-    "severity": "medium",
-    "severity_mapping": [],
+    "name": "Network Connection via Registration Utility",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"regsvr32.exe\" or process.name : \"regsvr64.exe\" or\n                  process.name : \"RegAsm.exe\" or process.name : \"RegSvcs.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"169.254.169.254\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+    "risk_score": 21,
+    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "severity": "low",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Configuration Audit"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1117",
+            "name": "Regsvr32",
+            "reference": "https://attack.mitre.org/techniques/T1117/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -11121,317 +8609,229 @@
         },
         "technique": [
           {
-            "id": "T1562",
-            "name": "Impair Defenses",
-            "reference": "https://attack.mitre.org/techniques/T1562/"
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.649Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "eql",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.664Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.",
     "from": "now-9m",
-    "id": "bc4f93a8-83f5-45de-9f95-c9361f16b4b7",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "WPAD Service Exploit",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */\n\nsequence with maxspan=5s\n  [process where event.type in (\"start\", \"process_started\") and process.name == \"svchost.exe\" and\n     user.domain == \"NT AUTHORITY\" and user.name == \"LOCAL SERVICE\"] by process.entity_id\n  [network where network.protocol == \"dns\" and process.name == \"svchost.exe\" and\n     dns.question.name == \"wpad\" and process.name == \"svchost.exe\"] by process.entity_id\n  [network where event.type == \"connection\" and process.name == \"svchost.exe\"\n     and network.direction == \"outgoing\" and destination.port == 80] by process.entity_id\n  [library where event.type == \"start\" and process.name == \"svchost.exe\" and\n     file.name == \"jscript.dll\" and process.name == \"svchost.exe\"] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and\n     process.parent.name == \"svchost.exe\"] by process.parent.entity_id\n",
-    "references": [],
+    "name": "Network Connection via Signed Binary",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"expand.exe\" or process.name : \"extrac.exe\" or\n                 process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "ec328da1-d5df-482b-866c-4a435692b1f3",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
+    "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
           "id": "TA0002",
           "name": "Execution",
           "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1068",
-            "name": "Exploitation for Privilege Escalation",
-            "reference": "https://attack.mitre.org/techniques/T1068/"
+            "id": "T1218",
+            "name": "Signed Binary Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1218/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.664Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.670Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.",
+    "false_positives": [
+      "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting."
+    ],
     "from": "now-9m",
-    "id": "f813e764-4390-40b2-98c2-72ebad5e7e3f",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Network Sniffing via Tcpdump",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:tcpdump",
+    "risk_score": 21,
+    "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Credential Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1036",
-            "name": "Masquerading",
-            "reference": "https://attack.mitre.org/techniques/T1036/"
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.670Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.613Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "9b1e9e37-17a1-4d68-bb41-b57de686c282",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "lucene",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential Secure File Deletion via SDelete Utility",
-    "note": "Verify process details such as command line and hash to confirm this activity legitimacy.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:file AND event.type:change AND file.name:/.+A+\\.AAA/",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1107",
-            "name": "File Deletion",
-            "reference": "https://attack.mitre.org/techniques/T1107/"
+            "id": "T1040",
+            "name": "Network Sniffing",
+            "reference": "https://attack.mitre.org/techniques/T1040/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.613Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.628Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-25m",
-    "id": "986de366-1db1-4d31-8077-7cb6c86433a9",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.",
+    "false_positives": [
+      "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "User Added as Owner for Azure Service Principal",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:Success",
+    "name": "Nmap Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nmap",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
+      "https://en.wikipedia.org/wiki/Nmap"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
+    "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Azure",
-      "Continuous Monitoring",
-      "SecOps",
-      "Configuration Audit"
-    ],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
-          }
-        ]
-      }
+      "Host",
+      "Linux",
+      "Threat Detection"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.628Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.772Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.",
+    "false_positives": [
+      "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."
+    ],
     "from": "now-9m",
-    "id": "b243fd40-f4ad-400b-8c73-ec57f52eefcf",
-    "immutable": true,
-    "index": ["logs-endpoint.events.*", "winlogbeat-*"],
-    "interval": "5m",
-    "language": "eql",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Windows Suspicious Script Object Execution",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "sequence by process.entity_id with maxspan=2m\n  [process where event.type in (\"start\", \"process_started\") and\n     /* process.code_signature.* fields need to be populated for 7.10 */\n     process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n     process.name not in (\"cscript.exe\",\n                          \"iexplore.exe\",\n                          \"MicrosoftEdge.exe\",\n                          \"msiexec.exe\",\n                          \"smartscreen.exe\",\n                          \"taskhostw.exe\",\n                          \"w3wp.exe\",\n                          \"wscript.exe\")]\n  [library where event.type == \"start\" and file.name == \"scrobj.dll\"]\n",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
+    "name": "Nping Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:nping",
+    "references": [
+      "https://en.wikipedia.org/wiki/Nmap"
+    ],
+    "risk_score": 47,
+    "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1064",
-            "name": "Scripting",
-            "reference": "https://attack.mitre.org/techniques/T1064/"
-          }
-        ]
-      }
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "eql",
-    "updated_at": "2020-10-07T10:12:04.772Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.585Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
     "false_positives": [
-      "Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
     ],
-    "from": "now-6m",
-    "id": "a56e60a5-4bf5-47c5-9739-26de7e6b23b6",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Service Account Deletion",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success",
-    "references": ["https://cloud.google.com/iam/docs/service-accounts"],
+    "name": "Okta Brute Force or Password Spraying Attack",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13",
+    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "GCP",
+      "Identity",
+      "Okta",
       "Continuous Monitoring",
       "SecOps",
       "Identity and Access"
@@ -11440,358 +8840,288 @@
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0006",
+          "name": "Credential Access",
+          "reference": "https://attack.mitre.org/tactics/TA0006/"
         },
         "technique": [
           {
-            "id": "T1531",
-            "name": "Account Access Removal",
-            "reference": "https://attack.mitre.org/techniques/T1531/"
+            "id": "T1110",
+            "name": "Brute Force",
+            "reference": "https://attack.mitre.org/techniques/T1110/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:04.585Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "threshold": {
+      "field": "source.ip",
+      "value": 25
+    },
+    "type": "threshold",
+    "version": 2
   },
   {
-    "actions": [],
-    "anomaly_threshold": 50,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.689Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.",
     "false_positives": [
-      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+      "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded."
     ],
-    "from": "now-45m",
-    "id": "f1d98bb3-a2dd-43a6-a3a1-daf7aa743fcf",
-    "immutable": true,
-    "interval": "15m",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_system_process_discovery",
-    "max_signals": 100,
-    "name": "Unusual Linux Process Discovery Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
+    "name": "PPTP (Point to Point Tunneling Protocol) Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1057",
-            "name": "Process Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1057/"
-          }
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.689Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "anomaly_threshold": 75,
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.694Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-45m",
-    "id": "b21a73a1-4ad7-4581-8b24-a1f7a4520cd7",
-    "immutable": true,
-    "interval": "15m",
+    "description": "Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
     "license": "Elastic License",
-    "machine_learning_job_id": "linux_system_user_discovery",
-    "max_signals": 100,
-    "name": "Unusual Linux System Owner or User Discovery Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux", "ML"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
-        },
-        "technique": [
-          {
-            "id": "T1033",
-            "name": "System Owner/User Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1033/"
-          }
-        ]
-      }
+    "name": "Permission Theft - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+    "risk_score": 73,
+    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "machine_learning",
-    "updated_at": "2020-10-07T10:12:04.694Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.654Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Permission Theft - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
+    "risk_score": 47,
+    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.",
     "false_positives": [
-      "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
+      "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "12dd5ca7-0596-4fcf-bbcc-795d31a58bf6",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Firewall Rule Creation",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:v*.compute.firewalls.insert",
-    "references": ["https://cloud.google.com/vpc/docs/firewalls"],
+    "name": "Persistence via Kernel Module Modification",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)",
+    "references": [
+      "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170",
+    "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Configuration Audit"
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1562",
-            "name": "Impair Defenses",
-            "reference": "https://attack.mitre.org/techniques/T1562/"
+            "id": "T1215",
+            "name": "Kernel Modules and Extensions",
+            "reference": "https://attack.mitre.org/techniques/T1215/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.654Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 1
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.719Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-25m",
-    "id": "6fca417e-6630-4f61-89ff-80af033ff18d",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Azure Blob Container Access Level Modification",
-    "note": "The Azure Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success",
+    "name": "Persistence via TelemetryController Scheduled Task Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(CompatTelRunner.exe or compattelrunner.exe) and not process.name:(conhost.exe or DeviceCensus.exe or devicecensus.exe or CompatTelRunner.exe or compattelrunner.exe or DismHost.exe or dismhost.exe or rundll32.exe)",
     "references": [
-      "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"
+      "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45",
-    "severity": "low",
-    "severity_mapping": [],
+    "risk_score": 73,
+    "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "Azure",
-      "SecOps",
-      "Continuous Monitoring",
-      "Asset Visibility"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
-        },
-        "technique": [
-          {
-            "id": "T1526",
-            "name": "Cloud Service Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1526/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1053",
+            "name": "Scheduled Task/Job",
+            "reference": "https://attack.mitre.org/techniques/T1053/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.719Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.797Z",
-    "created_by": "tudor@elastic.co",
-    "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "1f7c3c08-c000-43bb-ada2-87306c1e765b",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "GCP Service Account Disabled",
-    "note": "The GCP Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:googlecloud.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success",
-    "references": ["https://cloud.google.com/iam/docs/service-accounts"],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61",
-    "severity": "medium",
-    "severity_mapping": [],
+    "name": "Persistence via Update Orchestrator Service Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe)",
+    "references": [
+      "https://github.com/irsl/CVE-2020-1313"
+    ],
+    "risk_score": 73,
+    "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "GCP",
-      "Continuous Monitoring",
-      "SecOps",
-      "Identity and Access"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1531",
-            "name": "Account Access Removal",
-            "reference": "https://attack.mitre.org/techniques/T1531/"
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.797Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-07T10:12:04.741Z",
-    "created_by": "tudor@elastic.co",
+    "author": [
+      "Elastic"
+    ],
     "description": "Identifies when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
     "from": "now-25m",
-    "id": "c1ed9e29-629e-45ea-ac36-09c9abbdcf1a",
-    "immutable": true,
-    "index": ["filebeat-*"],
-    "interval": "5m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
     "name": "Possible Consent Grant Attack via Azure-Registered Application",
     "note": "- The Azure Filebeat module must be enabled to use this rule.\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n",
-    "output_index": ".siem-signals-siem-estc-dev-default",
     "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and ( azure.activitylogs.operation_name:\"Consent to application\" or azure.auditlogs.operation_name:\"Consent to application\" ) and event.outcome:success",
     "references": [
       "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
     "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
+      "Cloud",
       "Azure",
       "Continuous Monitoring",
       "SecOps",
@@ -11829,562 +9159,376 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:04.741Z",
-    "updated_by": "tudor@elastic.co",
     "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.430Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "436561b8-8065-4f90-a8c6-c296b45b94d9",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Adversary Behavior - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.075Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.368Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "06502641-d26f-40ee-ba7b-f6382703d2ae",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.",
+    "false_positives": [
+      "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential Modification of Accessibility Binaries",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Possible FIN7 DGA Command and Control Behavior",
+    "note": "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
+    "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+    "references": [
+      "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1015",
-            "name": "Accessibility Features",
-            "reference": "https://attack.mitre.org/techniques/T1015/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
-        },
-        "technique": [
+            "id": "T1483",
+            "name": "Domain Generation Algorithms",
+            "reference": "https://attack.mitre.org/techniques/T1483/"
+          },
           {
-            "id": "T1015",
-            "name": "Accessibility Features",
-            "reference": "https://attack.mitre.org/techniques/T1015/"
+            "id": "T1071",
+            "name": "Application Layer Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1071/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.078Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.434Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "5debeda1-9f41-466b-a284-89ffaf4405f8",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "PowerShell spawning Cmd",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1059",
-            "name": "Command and Scripting Interpreter",
-            "reference": "https://attack.mitre.org/techniques/T1059/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1086",
-            "name": "PowerShell",
-            "reference": "https://attack.mitre.org/techniques/T1086/"
-          }
-        ]
-      }
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to disrupt an organization's business operations by performing a denial of service (DoS) attack against its Okta infrastructure.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.080Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.307Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "9ad3de9e-29c7-480f-83cc-0315f9463f1d",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempted Bypass of Okta MFA",
+    "name": "Possible Okta DoS Attack",
     "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass",
+    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
     "references": [
       "https://developer.okta.com/docs/reference/api/system-log/",
       "https://developer.okta.com/docs/reference/api/event-types/"
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0",
-    "severity": "high",
-    "severity_mapping": [],
+    "risk_score": 47,
+    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "severity": "medium",
     "tags": [
       "Elastic",
+      "Identity",
       "Okta",
+      "Continuous Monitoring",
       "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Monitoring"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0040",
+          "name": "Impact",
+          "reference": "https://attack.mitre.org/tactics/TA0040/"
         },
         "technique": [
           {
-            "id": "T1111",
-            "name": "Two-Factor Authentication Interception",
-            "reference": "https://attack.mitre.org/techniques/T1111/"
+            "id": "T1498",
+            "name": "Network Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1498/"
+          },
+          {
+            "id": "T1499",
+            "name": "Endpoint Denial of Service",
+            "reference": "https://attack.mitre.org/techniques/T1499/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.082Z",
-    "updated_by": "tudor@elastic.co",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.388Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "2f6874cb-75f5-4907-8629-8fb85a856b8a",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Exploit - Prevented - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.084Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.287Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "214db173-fe47-48c9-9d81-63a3d4adfe80",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "lucene",
-    "license": "Elastic License",
-    "max_signals": 33,
-    "name": "Setgid Bit Set via chmod",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
-    "references": [],
+    "name": "Potential Application Shimming via Sdbinst",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "3a86e085-094c-412d-97ff-2439731e59cb",
+    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1166",
-            "name": "Setuid and Setgid",
-            "reference": "https://attack.mitre.org/techniques/T1166/"
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1166",
-            "name": "Setuid and Setgid",
-            "reference": "https://attack.mitre.org/techniques/T1166/"
+            "id": "T1138",
+            "name": "Application Shimming",
+            "reference": "https://attack.mitre.org/techniques/T1138/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.090Z",
-    "updated_by": "tudor@elastic.co",
     "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.406Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "d8f54f0f-2512-4aae-9afc-629171b72a3b",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "RDP (Remote Desktop Protocol) to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "Potential DLL SideLoading via Trusted Microsoft Programs",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:(\"C:\\Windows\\explorer.exe\" or C\\:\\\\Program?Files\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or C\\:\\\\Program?Files?\\(x86\\)\\\\Microsoft?Office\\\\root\\\\Office*\\\\WINWORD.EXE or \"C:\\Windows\\System32\\Dism.exe\" or \"C:\\Windows\\SysWOW64\\Dism.exe\" or \"C:\\Windows\\System32\\inetsrv\\w3wp.exe\"))",
+    "risk_score": 73,
+    "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
-        },
-        "technique": [
-          {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1048",
-            "name": "Exfiltration Over Alternative Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1048/"
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.094Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.317Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.",
     "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "4683aabc-01bb-4b63-a391-5e68d9cc97e1",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS IAM Assume Role Policy Update",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success",
+    "name": "Potential DNS Tunneling via Iodine",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)",
     "references": [
-      "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"
+      "https://code.kryo.se/iodine/"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd",
-    "severity": "low",
-    "severity_mapping": [],
+    "risk_score": 73,
+    "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2",
+    "severity": "high",
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Disabling of SELinux",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0",
+    "risk_score": 47,
+    "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1089",
+            "name": "Disabling Security Tools",
+            "reference": "https://attack.mitre.org/techniques/T1089/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.098Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.320Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "3a7af351-c106-4f78-a5e1-3acd69b98382",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS IAM Password Recovery Requested",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"
-    ],
+    "name": "Potential Evasion via Filter Manager",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c",
+    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1222",
+            "name": "File and Directory Permissions Modification",
+            "reference": "https://attack.mitre.org/techniques/T1222/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.106Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.213Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "ac4b7902-3fa9-4899-a3af-23b7297499ac",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Parent-Child Relationship",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or process.name:SearchIndexer.exe and not process.parent.name:services.exe or process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Potential Modification of Accessibility Binaries",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)",
+    "risk_score": 21,
+    "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1015",
+            "name": "Accessibility Features",
+            "reference": "https://attack.mitre.org/techniques/T1015/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -12394,162 +9538,135 @@
         },
         "technique": [
           {
-            "id": "T1093",
-            "name": "Process Hollowing",
-            "reference": "https://attack.mitre.org/techniques/T1093/"
+            "id": "T1015",
+            "name": "Accessibility Features",
+            "reference": "https://attack.mitre.org/techniques/T1015/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.108Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.217Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "01230104-fc78-4ba9-94e4-e318c56280e2",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "VNC (Virtual Network Computing) from the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "Potential Secure File Deletion via SDelete Utility",
+    "note": "Verify process details such as command line and hash to confirm this activity legitimacy.",
+    "query": "event.category:file AND event.type:change AND file.name:/.+A+\\.AAA/",
+    "risk_score": 21,
+    "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1219",
-            "name": "Remote Access Software",
-            "reference": "https://attack.mitre.org/techniques/T1219/"
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.",
+    "false_positives": [
+      "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Potential Shell via Web Server",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\")",
+    "references": [
+      "https://pentestlab.blog/tag/web-shell/"
+    ],
+    "risk_score": 47,
+    "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Persistence"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1100",
+            "name": "Web Shell",
+            "reference": "https://attack.mitre.org/techniques/T1100/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.111Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "version": 6
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.263Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to deactivate an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "7ae4cf16-0b4f-4660-831c-e8a30ffef735",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Deactivate Okta MFA Rule",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:policy.rule.deactivate",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
+    "name": "PowerShell spawning Cmd",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:powershell.exe and process.name:cmd.exe",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0",
+    "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.113Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.246Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "896de469-703c-4492-9aab-40fc68956f52",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Interactive Terminal Spawned via Perl",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -12565,61 +9682,65 @@
             "reference": "https://attack.mitre.org/techniques/T1059/"
           }
         ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1086",
+            "name": "PowerShell",
+            "reference": "https://attack.mitre.org/techniques/T1086/"
+          }
+        ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.115Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.291Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
     "false_positives": [
-      "A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "957895a4-8c98-4233-80c5-87432675c9ad",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS CloudWatch Log Stream Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
-      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"
+    "name": "Process Activity via Compiled HTML File",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
+    "risk_score": 21,
+    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1485",
-            "name": "Data Destruction",
-            "reference": "https://attack.mitre.org/techniques/T1485/"
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
           }
         ]
       },
@@ -12632,179 +9753,201 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1223",
+            "name": "Compiled HTML File",
+            "reference": "https://attack.mitre.org/techniques/T1223/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.119Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.300Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Adversaries may attempt to get information about running processes on a system.",
     "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."
+      "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "2804f82c-1e3f-4d8b-b6d7-454db4060275",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Delete Okta Policy",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
+    "name": "Process Discovery via Tasklist",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:tasklist.exe",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9",
+    "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.121Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.334Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies a successful login to the AWS Management Console by the Root user.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
     ],
-    "from": "now-60m",
-    "id": "f75d41f5-3972-46db-bc33-668ddcee35f4",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
     "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS Management Console Root Login",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
-    ],
+    "name": "Process Injection - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef",
+    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
     "severity": "high",
-    "severity_mapping": [],
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
+    "risk_score": 47,
+    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.",
+    "false_positives": [
+      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Process Injection by the Microsoft Build Engine",
+    "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.123Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.365Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed.",
     "false_positives": [
-      "Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Legit Application Crash with rare Werfault commandline value"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "f67219db-3fc9-4121-ac55-559c0c3642b3",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS EC2 Network Access Control List Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "name": "Process Potentially Masquerading as WerFault",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:WerFault.exe and not process.args:(((\"-u\" or \"-pss\") and \"-p\" and \"-s\") or (\"/h\" and \"/shared\") or (\"-k\" and \"-lcq\"))",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
-      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
-      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"
+      "https://twitter.com/SBousseaden/status/1235533224337641473",
+      "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d",
+    "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -12815,1583 +9958,1276 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.125Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.428Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to disrupt an organization's business operations by performing a denial of service (DoS) attack against its Okta infrastructure.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "d89b9be5-3500-474a-8e25-c2e26a424f60",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be used to circumvent network controls and detection mechanisms.",
+    "false_positives": [
+      "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Possible Okta DoS Attack",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
+    "name": "Proxy Port Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1080 or 3128 or 8080) or event.dataset:zeek.socks) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68",
+    "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1498",
-            "name": "Network Denial of Service",
-            "reference": "https://attack.mitre.org/techniques/T1498/"
-          },
-          {
-            "id": "T1499",
-            "name": "Endpoint Denial of Service",
-            "reference": "https://attack.mitre.org/techniques/T1499/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.127Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.433Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.",
     "false_positives": [
-      "Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."
     ],
-    "from": "now-60m",
-    "id": "352abbf1-c61a-4a31-a2a7-6b812542ab18",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS CloudTrail Log Suspended",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"
+    "name": "PsExec Network Connection",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n  [network where process.name : \"PsExec.exe\"]\n",
+    "risk_score": 21,
+    "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.129Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "type": "eql",
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.311Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-60m",
-    "id": "6680910c-4e8a-4cc3-8427-04b3e187aea0",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
+    "description": "Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to test for Internet access and acquire their public IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.",
+    "false_positives": [
+      "If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."
+    ],
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS IAM Deactivation of MFA Device",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "name": "Public IP Reconnaissance Activity",
+    "note": "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert.",
+    "query": "event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html",
-      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"
+      "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
+      "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
+    ],
+    "risk_score": 21,
+    "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "Discovery"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1531",
-            "name": "Account Access Removal",
-            "reference": "https://attack.mitre.org/techniques/T1531/"
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.130Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.480Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
     "false_positives": [
-      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+      "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-9m",
-    "id": "38de1ff3-17fd-4834-a7f9-62e165dfb6ef",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Microsoft Build Engine Using an Alternate Name",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and not process.name: MSBuild.exe",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "RDP (Remote Desktop Protocol) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1036",
-            "name": "Masquerading",
-            "reference": "https://attack.mitre.org/techniques/T1036/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.132Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.088Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
-    ],
-    "from": "now-9m",
-    "id": "e382f85d-7a93-4614-a137-041866e97390",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Microsoft Build Engine Loading Windows Credential Libraries",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:change and (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
         },
         "technique": [
           {
-            "id": "T1003",
-            "name": "OS Credential Dumping",
-            "reference": "https://attack.mitre.org/techniques/T1003/"
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.135Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.461Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
     "false_positives": [
-      "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
+      "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-9m",
-    "id": "5660da1f-127a-4569-bccb-c727ad951f49",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Network Connection via Registration Utility",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:(regsvr32.exe or regsvr64.exe or RegAsm.exe or RegSvcs.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
+    "name": "RDP (Remote Desktop Protocol) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa",
+    "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1117",
-            "name": "Regsvr32",
-            "reference": "https://attack.mitre.org/techniques/T1117/"
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
         },
         "technique": [
           {
-            "id": "T1218",
-            "name": "Signed Binary Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1218/"
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.137Z",
-    "updated_by": "tudor@elastic.co",
     "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.386Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "2eb0053f-9530-4135-ad39-8847fbe6f48a",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS GuardDuty Detector Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
-      "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"
-    ],
+    "name": "RPC (Remote Procedure Call) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef",
+    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.139Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.414Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "88261b8f-6923-4b73-9aa9-0263a46df832",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS IAM Group Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
-      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"
+    "name": "RPC (Remote Procedure Call) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 73,
+    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1531",
-            "name": "Account Access Removal",
-            "reference": "https://attack.mitre.org/techniques/T1531/"
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.141Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.366Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
     "from": "now-15m",
-    "id": "ccc367b3-d396-47cb-96dd-05556da945da",
-    "immutable": true,
-    "index": ["endgame-*"],
+    "index": [
+      "endgame-*"
+    ],
     "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Process Injection - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
-    "references": [],
+    "name": "Ransomware - Detected - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
+    "risk_score": 99,
+    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
+    "severity": "critical",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
+    "from": "now-15m",
+    "index": [
+      "endgame-*"
+    ],
+    "interval": "10m",
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Ransomware - Prevented - Endpoint Security",
+    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "80c52164-c82a-402c-9964-852533d58be1",
+    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
+    "tags": [
+      "Elastic",
+      "Endpoint Security"
+    ],
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.142Z",
-    "updated_by": "tudor@elastic.co",
     "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.408Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.",
-    "enabled": false,
-    "exceptions_list": [],
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.",
     "false_positives": [
-      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+      "Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_error_code",
+    "name": "Rare AWS Error Code",
+    "note": "### Investigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
     ],
+    "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.",
     "from": "now-9m",
-    "id": "436b1e20-0385-465f-b859-5f55c4d89d9f",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Microsoft Build Engine Started by a System Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe)",
-    "references": [],
+    "name": "Remote File Copy via TeamViewer",
+    "query": "event.category:file and event.type:creation and process.name:TeamViewer.exe and file.extension:(exe or dll or scr or com or bat or ps1 or vbs or vbe or js or wsh or hta)",
+    "references": [
+      "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3",
+    "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.144Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.242Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "3ab39c23-f0ae-4893-a7fb-293894dfe644",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS RDS Cluster Creation",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "name": "Remote File Download via Desktopimgdownldr Utility",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and process.args:/lockscreenurl\\:http*",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html",
-      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html",
-      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"
+      "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d",
-    "severity": "low",
-    "severity_mapping": [],
+    "risk_score": 47,
+    "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899",
+    "severity": "medium",
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Asset Visibility",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1108",
-            "name": "Redundant Access",
-            "reference": "https://attack.mitre.org/techniques/T1108/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1108",
-            "name": "Redundant Access",
-            "reference": "https://attack.mitre.org/techniques/T1108/"
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.146Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.273Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "d8cd9e63-cfc6-4965-8584-961bc90eb475",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Modify Okta Network Zone",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist)",
+    "name": "Remote File Download via MpCmdRun",
+    "note": "### Investigating Remote File Download via MpCmdRun\nVerify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.",
+    "query": "event.category:process and event.type:(start or process_started) and (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or winlog.event_data.OriginalFileName:MpCmdRun.exe) and process.args:((\"-DownloadFile\" or \"-downloadfile\") and \"-url\" and \"-path\")",
     "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
+      "https://twitter.com/mohammadaskar2/status/1301263551638761477",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3",
+    "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Okta", "SecOps", "Network", "Continuous Monitoring"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Command and Control"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
+        },
+        "technique": [
+          {
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
+          }
+        ]
+      }
+    ],
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.147Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.362Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects use of the systemsetup command to enable remote SSH Login.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "aa299e64-c5c1-4c6f-b5d2-ac1977d8f66c",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS IAM Group Creation",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "name": "Remote SSH Login Enabled via systemsetup Command",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:systemsetup and process.args:(\"-f\" and \"-setremotelogin\" and on)",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
-      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"
+      "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+      "https://ss64.com/osx/systemsetup.html"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1",
-    "severity": "low",
-    "severity_mapping": [],
+    "risk_score": 47,
+    "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc",
+    "severity": "medium",
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "macOS",
+      "Threat Detection",
+      "Lateral Movement"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
         },
         "technique": [
           {
-            "id": "T1108",
-            "name": "Redundant Access",
-            "reference": "https://attack.mitre.org/techniques/T1108/"
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.150Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.236Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "da571459-a93d-4bc0-bd39-79c10fd669cd",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Process Injection - Prevented - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)",
-    "references": [],
+    "name": "Renamed AutoIt Scripts Interpreter",
+    "query": "event.category:process AND event.type:(start OR process_started) AND (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/ OR winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\\d\\.[eE][xX][eE]/) AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\\d{1,3}\\.[eE][xX][eE]/",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e",
+    "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.152Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.364Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "59398007-70cc-468d-9eaa-9c11f6f05641",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Credential Dumping - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.154Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.231Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "52e4b704-0c61-41f5-9edd-b9965459fdb5",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Unusual Process Network Connection",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.156Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.303Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database cluster.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and TTPs. This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.",
     "false_positives": [
-      "Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."
     ],
-    "from": "now-60m",
-    "id": "d48cea68-4e37-45c9-ba85-6b4e1a5f86cf",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
+    "index": [
+      "packetbeat-*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS RDS Cluster Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
+    "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
+    "note": "This activity has been observed in FIN7 campaigns.",
+    "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
-      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
-      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html"
+      "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+      "https://www.justice.gov/opa/press-release/file/1084361/download"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad",
+    "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Asset Visibility",
-      "Continuous Monitoring"
+      "Network",
+      "Threat Detection",
+      "Command and Control"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1485",
-            "name": "Data Destruction",
-            "reference": "https://attack.mitre.org/techniques/T1485/"
+            "id": "T1105",
+            "name": "Ingress Tool Transfer",
+            "reference": "https://attack.mitre.org/techniques/T1105/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.158Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.314Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.",
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "12473e2b-3721-41ac-90ab-9df6d156d4f9",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Modify Okta Policy",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:policy.lifecycle.update",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45",
-    "severity": "low",
-    "severity_mapping": [],
+    "name": "SMB (Windows File Sharing) Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 73,
+    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "severity": "high",
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
-    ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.161Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.983Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies possibly suspicious activity using trusted Windows developer activity.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "These programs may be used by Windows developers but use by non-engineers is unusual."
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Initial Access"
     ],
-    "from": "now-6m",
-    "id": "9bbb1112-737c-4010-9820-7166fb08b07d",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Trusted Developer Application Usage",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.164Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.259Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
     "false_positives": [
-      "Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "fc9648c9-9b20-4f3a-836c-c0862972fc4a",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS IAM User Addition to Group",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success",
+    "name": "SMTP on Port 26/TCP",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
     "references": [
-      "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"
+      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
+      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0",
+    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.181Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.318Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently abused by threat actors for command and control, or data exfiltration.",
     "false_positives": [
-      "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "0ee7626e-bc38-48b3-ad14-ecdc6ce41de4",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS CloudTrail Log Created",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
-    ],
+    "name": "SMTP to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(25 or 465 or 587) or event.dataset:zeek.smtp) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
+    "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0009",
-          "name": "Collection",
-          "reference": "https://attack.mitre.org/tactics/TA0009/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1530",
-            "name": "Data from Cloud Storage Object",
-            "reference": "https://attack.mitre.org/techniques/T1530/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0010",
+          "name": "Exfiltration",
+          "reference": "https://attack.mitre.org/tactics/TA0010/"
+        },
+        "technique": [
+          {
+            "id": "T1048",
+            "name": "Exfiltration Over Alternative Protocol",
+            "reference": "https://attack.mitre.org/techniques/T1048/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.183Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.355Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.",
+    "false_positives": [
+      "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "f82482d8-c507-4840-935a-1afd22f73224",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS RDS Instance/Cluster Stoppage",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html",
-      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html",
-      "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"
-    ],
+    "name": "SQL Traffic to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d",
+    "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Asset Visibility",
-      "Continuous Monitoring"
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1489",
-            "name": "Service Stop",
-            "reference": "https://attack.mitre.org/techniques/T1489/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.188Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.233Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
     "false_positives": [
-      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+      "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "f9150083-cb40-4dc2-b47c-e636e569a899",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Whoami Process Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "SSH (Secure Shell) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 47,
+    "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1033",
-            "name": "System Owner/User Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1033/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.192Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.484Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "cf0cfa38-86a2-4ad1-81bb-958d418cd60c",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
+    "false_positives": [
+      "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential Evasion via Filter Manager",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:fltMC.exe",
-    "references": [],
+    "name": "SSH (Secure Shell) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
+    "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1222",
-            "name": "File and Directory Permissions Modification",
-            "reference": "https://attack.mitre.org/techniques/T1222/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.194Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.257Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibiltiy into the security posture of an account and / or its workload instances.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-60m",
-    "id": "a11d7367-4785-4a23-bdda-ca437fabf753",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
+    "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS Config Service Tampering",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com",
-    "references": [
-      "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
-      "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"
+    "name": "Service Command Lateral Movement",
+    "query": "sequence by process.entity_id with maxspan=1m\n  [process where event.type in (\"start\", \"process_started\") and\n                               /* uncomment once in winlogbeat */\n     (process.name == \"sc.exe\" /* or process.pe.original_file_name == \"sc.exe\" */ ) and\n                                                   /* case insensitive */\n      wildcard(process.args, \"\\\\\\\\*\") and wildcard(process.args, \"binPath=*\", \"binpath=*\") and\n      (process.args : \"create\" or\n       process.args : \"config\" or\n       process.args : \"failure\" or\n       process.args : \"start\")]\n  [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n",
+    "risk_score": 21,
+    "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Lateral Movement"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          },
+          {
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
+          },
+          {
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.197Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "type": "eql",
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.288Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-60m",
-    "id": "ddff813c-4c52-4b75-aab8-e3478df4c9b5",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
+    "description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "lucene",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS CloudWatch Log Group Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
-      "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"
+    "max_signals": 33,
+    "name": "Setgid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root",
+    "risk_score": 21,
+    "rule_id": "3a86e085-094c-412d-97ff-2439731e59cb",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1485",
-            "name": "Data Destruction",
-            "reference": "https://attack.mitre.org/techniques/T1485/"
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.200Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.417Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "94ed90ff-d0f5-4489-9b2b-902bdb2ca6b6",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Malware - Prevented - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.202Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.357Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "697084d7-552e-4129-b56e-66bd3c881c86",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Deactivate Okta Policy",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
+    "description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
     ],
+    "language": "lucene",
+    "license": "Elastic License",
+    "max_signals": 33,
+    "name": "Setuid Bit Set via chmod",
+    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe",
+    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
     ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -14401,488 +11237,276 @@
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1166",
+            "name": "Setuid and Setgid",
+            "reference": "https://attack.mitre.org/techniques/T1166/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.206Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.435Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "24d7bd42-a792-4e45-a75f-5dd0c583693b",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.",
+    "false_positives": [
+      "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "RPC (Remote Procedure Call) from the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
-        },
-        "technique": [
-          {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
-          }
-        ]
-      }
+    "name": "Socat Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V",
+    "references": [
+      "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"
+    ],
+    "risk_score": 47,
+    "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.209Z",
-    "updated_by": "tudor@elastic.co",
     "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.310Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.",
-    "enabled": false,
-    "exceptions_list": [],
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.",
     "false_positives": [
-      "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+      "Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."
     ],
-    "from": "now-6m",
-    "id": "e38cf8d4-ec76-4c3f-bde5-9cb85af3ee19",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
-    "language": "kuery",
+    "from": "now-60m",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Create Okta API Token",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:system.api_token.create",
+    "machine_learning_job_id": "high_distinct_count_error_message",
+    "name": "Spike in AWS Error Messages",
+    "note": "### Investigating Spikes in CloudTrail Errors ###\nDetection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the user.name field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?",
     "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5",
+    "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
-    ],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1136",
-            "name": "Create Account",
-            "reference": "https://attack.mitre.org/techniques/T1136/"
-          }
-        ]
-      }
+      "Cloud",
+      "AWS",
+      "ML"
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.211Z",
-    "updated_by": "tudor@elastic.co",
+    "type": "machine_learning",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.226Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.",
     "false_positives": [
-      "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."
+      "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing."
     ],
     "from": "now-9m",
-    "id": "0eea4021-6474-4698-a106-b6d430faf294",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Command Prompt Network Connection",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
+    "name": "Strace Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:strace",
+    "references": [
+      "https://en.wikipedia.org/wiki/Strace"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696",
+    "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.",
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Sudoers File Modification",
+    "query": "event.category:file and event.type:change and file.path:/etc/sudoers",
+    "risk_score": 21,
+    "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1059",
-            "name": "Command and Scripting Interpreter",
-            "reference": "https://attack.mitre.org/techniques/T1059/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1105",
-            "name": "Ingress Tool Transfer",
-            "reference": "https://attack.mitre.org/techniques/T1105/"
+            "id": "T1169",
+            "name": "Sudo",
+            "reference": "https://attack.mitre.org/techniques/T1169/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.213Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.327Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious .NET code execution. connections.",
     "from": "now-9m",
-    "id": "95c058bd-6ed3-416a-9c99-861a00f54cb7",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Interactive Terminal Spawned via Python",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "name": "Suspicious .NET Code Compilation",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(csc.exe or vbc.exe) and process.parent.name:(wscript.exe or mshta.exe or wscript.exe or wmic.exe or svchost.exe or rundll32.exe or cmstp.exe or regsvr32.exe)",
+    "risk_score": 47,
+    "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1059",
-            "name": "Command and Scripting Interpreter",
-            "reference": "https://attack.mitre.org/techniques/T1059/"
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.215Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.348Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "47311701-b687-4d93-af86-d5a212072846",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.",
+    "false_positives": [
+      "A user may report suspicious activity on their Okta account in error."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Credential Dumping - Prevented - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)",
-    "references": [],
+    "name": "Suspicious Activity Reported by Okta User",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",
+    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.216Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.354Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "c53f92f6-285b-492e-a986-37080cff2388",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Ransomware - Prevented - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.218Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.941Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "dcf8ce48-b2aa-470d-b4c2-cb03a111df64",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Net command via SYSTEM account",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1087",
-            "name": "Account Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1087/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.219Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.409Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "2a9a7b0a-8d25-4554-8408-5a7a7b5ec623",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Permission Theft - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.221Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.359Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "0eca735d-03c3-4313-83a2-1decfb02450e",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Threat Detected by Okta ThreatInsight",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:security.threat.detected",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": [
-      "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
-    ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.222Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.264Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
-    ],
-    "from": "now-60m",
-    "id": "e66ac8a7-3741-4017-aebf-62e754907c04",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS CloudTrail Log Deleted",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
-    "threat": [
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -14892,241 +11516,175 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1078",
+            "name": "Valid Accounts",
+            "reference": "https://attack.mitre.org/techniques/T1078/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.224Z",
-    "updated_by": "tudor@elastic.co",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.419Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "ea044fef-0349-41e9-9e40-c4da201e43aa",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS EC2 Snapshot Activity",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
-      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"
-    ],
+    "name": "Suspicious Endpoint Security Parent Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(esensor.exe or \"elastic-endpoint.exe\" or \"elastic-agent.exe\") and not process.parent.executable:\"C:\\Windows\\System32\\services.exe\"",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56",
+    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Asset Visibility",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1537",
-            "name": "Transfer Data to Cloud Account",
-            "reference": "https://attack.mitre.org/techniques/T1537/"
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.225Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.427Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "a1c3e277-34e8-40e3-a139-49f1712a975e",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS Root Login Without MFA",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
-    ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc",
-    "severity": "high",
-    "severity_mapping": [],
+    "name": "Suspicious MS Office Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
+    "risk_score": 21,
+    "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f",
+    "severity": "low",
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.227Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.477Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "cda87230-9516-4c34-87ad-a82cc2b1faf6",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Revoke Okta API Token",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:system.api_token.revoke",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
+    "name": "Suspicious MS Outlook Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or  bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7",
+    "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1531",
-            "name": "Account Access Removal",
-            "reference": "https://attack.mitre.org/techniques/T1531/"
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.228Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.449Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "96d21dcf-4a74-4331-9d5c-902fdc6639a9",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS CloudWatch Alarm Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success",
+    "name": "Suspicious Managed Code Hosting Process",
+    "query": "event.category:file and not event.type:deletion and file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log)",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
-      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"
+      "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"
+    ],
+    "risk_score": 73,
+    "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -15137,52 +11695,40 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.229Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.296Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "9f99e070-64fb-4ab0-9410-c68d2621a079",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS Execution via System Manager",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"
-    ],
+    "name": "Suspicious PDF Reader Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa",
+    "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -15193,78 +11739,123 @@
         },
         "technique": [
           {
-            "id": "T1064",
-            "name": "Scripting",
-            "reference": "https://attack.mitre.org/techniques/T1064/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
-        },
-        "technique": [
-          {
-            "id": "T1086",
-            "name": "PowerShell",
-            "reference": "https://attack.mitre.org/techniques/T1086/"
+            "id": "T1204",
+            "name": "User Execution",
+            "reference": "https://attack.mitre.org/techniques/T1204/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.231Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.290Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "2093da74-ffd7-459d-8e18-2bcf8e0fbf0d",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.",
+    "false_positives": [
+      "Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Potential Application Shimming via Sdbinst",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe",
-    "references": [],
+    "machine_learning_job_id": "windows_anomalous_script",
+    "name": "Suspicious Powershell Script",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f",
+    "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. .",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PrintSpooler SPL File Created",
+    "note": "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.",
+    "query": "event.category:file and not event.type:deletion and file.extension:(spl or SPL) and file.path:C\\:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\* and not process.name:(spoolsv.exe or printfilterpipelinesvc.exe or PrintIsolationHost.exe or splwow64.exe or msiexec.exe or poqexec.exe)",
+    "references": [
+      "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"
+    ],
+    "risk_score": 74,
+    "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1138",
-            "name": "Application Shimming",
-            "reference": "https://attack.mitre.org/techniques/T1138/"
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious PrintSpooler Service Executable File Creation",
+    "query": "event.category:file and not event.type:deletion and process.name:spoolsv.exe and file.extension:(exe or dll) and not file.path:(C\\:\\\\Windows\\\\System32\\\\spool\\\\* or C\\:\\\\Windows\\\\Temp\\\\* or C\\:\\\\Users\\\\*)",
+    "references": [
+      "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/",
+      "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"
+    ],
+    "risk_score": 74,
+    "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -15274,120 +11865,88 @@
         },
         "technique": [
           {
-            "id": "T1138",
-            "name": "Application Shimming",
-            "reference": "https://attack.mitre.org/techniques/T1138/"
+            "id": "T1068",
+            "name": "Exploitation for Privilege Escalation",
+            "reference": "https://attack.mitre.org/techniques/T1068/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.232Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.302Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "79e14d0b-5890-4303-b520-6dff447bd64b",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Okta Brute Force or Password Spraying Attack",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
+    "name": "Suspicious Process Execution via Renamed PsExec Executable",
+    "query": "event.category:process and event.type:(start or process_started) and (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe)",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0",
+    "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1110",
-            "name": "Brute Force",
-            "reference": "https://attack.mitre.org/techniques/T1110/"
+            "id": "T1035",
+            "name": "Service Execution",
+            "reference": "https://attack.mitre.org/techniques/T1035/"
           }
         ]
       }
     ],
-    "threshold": {
-      "field": "source.ip",
-      "value": 25
-    },
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "threshold",
-    "updated_at": "2020-10-07T10:12:08.234Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "type": "query",
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.381Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious Conhost child process which may be an indication of code injection activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "ed622f44-850e-4da6-8239-b8a5b9b0825a",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS WAF Access Control List Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success",
+    "name": "Suspicious Process from Conhost",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:conhost.exe",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
-      "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"
+      "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx"
+    ],
+    "risk_score": 73,
+    "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -15398,65 +11957,91 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.235Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.373Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "cee1bfc7-c84c-4e02-9895-06be8998df2f",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "description": "Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Process Activity via Compiled HTML File",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:hh.exe",
-    "references": [],
+    "name": "Suspicious WMIC XSL Script Execution",
+    "query": "sequence by process.entity_id with maxspan=2m\n[process where event.type in (\"start\", \"process_started\") and\n   (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n   wildcard(process.args, \"format*:*\", \"/format*:*\", \"*-format*:*\") and\n   not wildcard(process.command_line, \"* /format:table *\")]\n[library where event.type == \"start\" and file.name in (\"jscript.dll\", \"vbscript.dll\")]\n",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1223",
-            "name": "Compiled HTML File",
-            "reference": "https://attack.mitre.org/techniques/T1223/"
+            "id": "T1220",
+            "name": "XSL Script Processing",
+            "reference": "https://attack.mitre.org/techniques/T1220/"
           }
         ]
-      },
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and parent process details as well.",
+    "false_positives": [
+      "Custom Windows Error Reporting Debugger"
+    ],
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Suspicious WerFault Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:WerFault.exe and not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe)",
+    "references": [
+      "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
+      "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx"
+    ],
+    "risk_score": 47,
+    "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -15466,86 +12051,43 @@
         },
         "technique": [
           {
-            "id": "T1223",
-            "name": "Compiled HTML File",
-            "reference": "https://attack.mitre.org/techniques/T1223/"
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.236Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.972Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "972e06bb-a22f-49f2-a0c2-af405c0204ab",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Credential Manipulation - Prevented - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.238Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.431Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.",
     "false_positives": [
-      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."
+      "New Zoom Executable"
     ],
     "from": "now-9m",
-    "id": "7b084969-fa9d-4484-8e70-d9a2e1f3e9e3",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Microsoft Build Engine Started by an Office Application",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe)",
-    "references": [
-      "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"
+    "name": "Suspicious Zoom Child Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:Zoom.exe and not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)",
+    "risk_score": 47,
+    "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -15556,369 +12098,302 @@
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
+            "id": "T1036",
+            "name": "Masquerading",
+            "reference": "https://attack.mitre.org/techniques/T1036/"
           }
         ]
       },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.240Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.051Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "0dab10de-744a-463a-80af-090d514e084c",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Permission Theft - Prevented - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.242Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.475Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Legitimate scheduled tasks may be created during installation of new software."
+    "author": [
+      "Elastic"
     ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
     "from": "now-9m",
-    "id": "55304807-a29a-4b0e-89c3-84e7545c9ed3",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Local Scheduled Task Commands",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run)",
-    "references": [],
+    "name": "Svchost spawning Cmd",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a",
+    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1053",
-            "name": "Scheduled Task/Job",
-            "reference": "https://attack.mitre.org/techniques/T1053/"
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.244Z",
-    "updated_by": "tudor@elastic.co",
     "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.099Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "a8c62e42-1c32-481e-95eb-b7a10bb7e177",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Ransomware - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)",
-    "references": [],
-    "risk_score": 99,
-    "risk_score_mapping": [],
-    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd",
-    "severity": "critical",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.245Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.456Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "2454cce3-2b8f-4a90-9a37-d83deadfb5f8",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "RPC (Remote Procedure Call) to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "System Shells via Services",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe)",
+    "risk_score": 47,
+    "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1050",
+            "name": "New Service",
+            "reference": "https://attack.mitre.org/techniques/T1050/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.247Z",
-    "updated_by": "tudor@elastic.co",
     "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.210Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a reverse proxy.",
     "false_positives": [
-      "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."
+      "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-9m",
-    "id": "c5be7f05-83a4-45aa-b256-5d7f096a7700",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Microsoft Build Engine Started by a Script Process",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type: start and process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe)",
-    "references": [],
+    "name": "TCP Port 8000 Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:8000 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2",
+    "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
-        },
-        "technique": [
-          {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1127",
-            "name": "Trusted Developer Utilities Proxy Execution",
-            "reference": "https://attack.mitre.org/techniques/T1127/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.249Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.413Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to remove the multi-factor authentication (MFA) factors registered on an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
     "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."
+      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "063ffb67-a8a7-46e7-aad3-98bbe52e2eef",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Reset MFA Factors for Okta User Account",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181",
-    "severity": "low",
-    "severity_mapping": [],
+    "name": "Telnet Port Activity",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
+    "risk_score": 47,
+    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
+    "severity": "medium",
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1043",
+            "name": "Commonly Used Port",
+            "reference": "https://attack.mitre.org/techniques/T1043/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0008",
+          "name": "Lateral Movement",
+          "reference": "https://attack.mitre.org/tactics/TA0008/"
+        },
+        "technique": [
+          {
+            "id": "T1021",
+            "name": "Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1021/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
+        },
+        "technique": [
+          {
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.250Z",
-    "updated_by": "tudor@elastic.co",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.",
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Threat Detected by Okta ThreatInsight",
+    "note": "The Okta Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:security.threat.detected",
+    "references": [
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 47,
+    "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Monitoring"
+    ],
+    "type": "query",
     "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.839Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection.",
     "false_positives": [
-      "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions."
+      "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "95050947-66f4-4904-a00c-98e90854b6a7",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
+    "name": "Tor Activity to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa",
+    "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -15938,54 +12413,64 @@
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1048",
-            "name": "Exfiltration Over Alternative Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1048/"
+            "id": "T1188",
+            "name": "Multi-hop Proxy",
+            "reference": "https://attack.mitre.org/techniques/T1188/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.252Z",
-    "updated_by": "tudor@elastic.co",
     "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.073Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "ef3922f9-61a3-492b-8efb-e1c04281f12c",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies possibly suspicious activity using trusted Windows developer activity.",
+    "false_positives": [
+      "These programs may be used by Windows developers but use by non-engineers is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "MsBuild Making Network Connections",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or \"::1\")",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Trusted Developer Application Usage",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)",
+    "risk_score": 21,
+    "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -16002,286 +12487,336 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.253Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Nick Jones", "Elastic"],
-    "created_at": "2020-10-05T15:46:06.324Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "2b0281ff-9c29-4e7c-b1ec-62f64b8a50a0",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS Access Secret in Secrets Manager",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue",
-    "references": [
-      "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
-      "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"
-    ],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622",
-    "severity": "high",
-    "severity_mapping": [],
+    "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(/autoclean or /AUTOCLEAN) and process.parent.name:svchost.exe and not process.executable:(\"C:\\Windows\\System32\\cleanmgr.exe\" or \"C:\\Windows\\SysWOW64\\cleanmgr.exe\")",
+    "risk_score": 47,
+    "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e",
+    "severity": "medium",
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Data Protection",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
         },
         "technique": [
           {
-            "id": "T1528",
-            "name": "Steal Application Access Token",
-            "reference": "https://attack.mitre.org/techniques/T1528/"
+            "id": "T1088",
+            "name": "Bypass User Account Control",
+            "reference": "https://attack.mitre.org/techniques/T1088/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.255Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.331Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.",
-    "enabled": false,
-    "exceptions_list": [],
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data.",
     "false_positives": [
-      "Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."
     ],
     "from": "now-60m",
-    "id": "423c28c4-b3ad-4076-a76b-ca24eb2e9f1e",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS EC2 Network Access Control List Creation",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "machine_learning_job_id": "rare_method_for_a_username",
+    "name": "Unusual AWS Command for a User",
+    "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
-      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
-      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0",
+    "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Child Process from a System Virtual Process",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.pid:4 and not process.executable:(Registry or MemCompression or \"C:\\Windows\\System32\\smss.exe\")",
+    "risk_score": 73,
+    "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1108",
-            "name": "Redundant Access",
-            "reference": "https://attack.mitre.org/techniques/T1108/"
+            "id": "T1055",
+            "name": "Process Injection",
+            "reference": "https://attack.mitre.org/techniques/T1055/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.257Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.439Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embed ed systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "false_positives": [
+      "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "2d469a60-79a3-4121-8b16-03ac52c12c3f",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Telnet Port Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "name": "Unusual Child Process of dns.exe",
+    "note": "### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.",
+    "query": "event.category:process and event.type:start and process.parent.name:dns.exe and not process.name:conhost.exe",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+      "https://github.com/maxpl0it/CVE-2020-1350-DoS"
+    ],
+    "risk_score": 73,
+    "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
-        },
-        "technique": [
-          {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0008",
-          "name": "Lateral Movement",
-          "reference": "https://attack.mitre.org/tactics/TA0008/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1021",
-            "name": "Remote Services",
-            "reference": "https://attack.mitre.org/techniques/T1021/"
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Child Processes of RunDLL32",
+    "query": "sequence with maxspan=1h\n  [process where event.type in (\"start\", \"process_started\") and\n                                    /* uncomment once in winlogbeat */\n     (process.name : \"rundll32.exe\" /* or process.pe.original_file_name == \"RUNDLL32.EXE\" */ ) and\n     process.args_count < 2\n  ] by process.entity_id\n  [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n  ] by process.parent.entity_id\n",
+    "risk_score": 21,
+    "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1085",
+            "name": "Rundll32",
+            "reference": "https://attack.mitre.org/techniques/T1085/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:07.897Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "type": "eql",
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.450Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "26411937-21e2-4ef1-9f74-ca0c20a43f8d",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).",
+    "false_positives": [
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
+    ],
+    "from": "now-60m",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Exploit - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:07.904Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "machine_learning_job_id": "rare_method_for_a_city",
+    "name": "Unusual City For an AWS Command",
+    "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.472Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.",
-    "enabled": false,
-    "exceptions_list": [],
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography then the authorized user(s).",
     "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."
     ],
     "from": "now-60m",
-    "id": "b69db49e-9018-42d6-9dee-4113ecd953e9",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS EC2 Flow Log Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
+    "machine_learning_job_id": "rare_method_for_a_country",
+    "name": "Unusual Country For an AWS Command",
+    "note": "### Investigating an Unusual CloudTrail Event ###\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, manifested only very recently, it might be part of a new automation module or script. If it has a consistent cadence - for example, if it appears in small numbers on a weekly or monthly cadence it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
     "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html",
-      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "AWS",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 2
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."
     ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_dns_question",
+    "name": "Unusual DNS Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "746edc4c-c54c-49c6-97a1-651223819448",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Executable File Creation by a System Critical Process",
+    "query": "event.category:file and not event.type:deletion and file.extension:(exe or dll) and process.name:(smss.exe or autochk.exe or csrss.exe or wininit.exe or services.exe or lsass.exe or winlogon.exe or userinit.exe or LogonUI.exe)",
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872",
+    "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -16292,151 +12827,1236 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1211",
+            "name": "Exploitation for Defense Evasion",
+            "reference": "https://attack.mitre.org/techniques/T1211/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.909Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.037Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Adversaries may attempt to get information about running processes on a system.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "bd679f00-3ad4-4450-8c78-7d2ba97027e5",
-    "immutable": true,
-    "index": ["winlogbeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Process Discovery via Tasklist",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:tasklist.exe",
-    "references": [],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "name": "Unusual File Modification by dns.exe",
+    "note": "### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.",
+    "query": "event.category:file and process.name:dns.exe and not file.name:dns.log",
+    "references": [
+      "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+      "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/"
+    ],
+    "risk_score": 73,
+    "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0007",
-          "name": "Discovery",
-          "reference": "https://attack.mitre.org/tactics/TA0007/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1057",
-            "name": "Process Discovery",
-            "reference": "https://attack.mitre.org/techniques/T1057/"
+            "id": "T1133",
+            "name": "External Remote Services",
+            "reference": "https://attack.mitre.org/techniques/T1133/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.892Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.061Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "7706cf2d-b4fc-4566-8f9b-914313612334",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "from": "now-45m",
+    "interval": "15m",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Credential Manipulation - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)",
-    "references": [],
-    "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",
-    "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:07.895Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "machine_learning_job_id": "linux_anomalous_network_activity_ecs",
+    "name": "Unusual Linux Network Activity",
+    "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_network_connection_discovery",
+    "name": "Unusual Linux Network Connection Discovery",
+    "risk_score": 21,
+    "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1049",
+            "name": "System Network Connections Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1049/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_port_activity_ecs",
+    "name": "Unusual Linux Network Port Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_service",
+    "name": "Unusual Linux Network Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-596e-bc35-f5707f820c4b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_metadata_process",
+    "name": "Unusual Linux Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_process_discovery",
+    "name": "Unusual Linux Process Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1057",
+            "name": "Process Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1057/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_information_discovery",
+    "name": "Unusual Linux System Information Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 25,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_network_configuration_discovery",
+    "name": "Unusual Linux System Network Configuration Discovery",
+    "risk_score": 21,
+    "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1016",
+            "name": "System Network Configuration Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1016/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.",
+    "false_positives": [
+      "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_system_user_discovery",
+    "name": "Unusual Linux System Owner or User Discovery Activity",
+    "risk_score": 21,
+    "rule_id": "59756272-1998-4b8c-be14-e287035c4d10",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
+        },
+        "technique": [
+          {
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_metadata_user",
+    "name": "Unusual Linux User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_user_name_ecs",
+    "name": "Unusual Linux Username",
+    "note": "### Investigating an Unusual Linux User ###\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_anomalous_network_url_activity_ecs",
+    "name": "Unusual Linux Web Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "52afbdc5-db15-485e-bc35-f5707f820c4c",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies an unusually high number of authentication attempts.",
+    "false_positives": [
+      "Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "suspicious_login_activity_ecs",
+    "name": "Unusual Login Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Network Activity from a Windows System Binary",
+    "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Network Connection via RunDLL32",
+    "query": "sequence by process.entity_id\n  [process where process.name : \"rundll32.exe\" and event.type == \"start\"]\n  [network where process.name : \"rundll32.exe\" and\n     not cidrmatch(destination.ip, \"10.0.0.0/8\",  \"172.16.0.0/12\", \"192.168.0.0/16\", \"127.0.0.0/8\")]\n",
+    "risk_score": 21,
+    "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1085",
+            "name": "Rundll32",
+            "reference": "https://attack.mitre.org/techniques/T1085/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 6
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_server_domain",
+    "name": "Unusual Network Destination Domain Name",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Parent Process for cmd.exe",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)",
+    "risk_score": 47,
+    "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1059",
+            "name": "Command and Scripting Interpreter",
+            "reference": "https://attack.mitre.org/techniques/T1059/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 1
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Parent-Child Relationship",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or process.name:SearchIndexer.exe and not process.parent.name:services.exe or process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))",
+    "risk_score": 47,
+    "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Privilege Escalation"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1093",
+            "name": "Process Hollowing",
+            "reference": "https://attack.mitre.org/techniques/T1093/"
+          }
+        ]
+      }
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.",
+    "false_positives": [
+      "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Unusual Process Execution - Temp",
+    "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp",
+    "risk_score": 47,
+    "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection"
+    ],
+    "type": "query",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_process_by_host_linux_ecs",
+    "name": "Unusual Process For a Linux Host",
+    "note": "### Investigating an Unusual Linux Process ###\nDetection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "rare_process_by_host_windows_ecs",
+    "name": "Unusual Process For a Windows Host",
+    "note": "### Investigating an Unusual Windows Process ###\nDetection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.\n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "eql",
+    "license": "Elastic License",
+    "name": "Unusual Process Network Connection",
+    "query": "sequence by process.entity_id\n  [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\") and\n     event.type == \"start\"]\n  [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n                  process.name : \"bginfo.exe\" or\n                  process.name : \"cdb.exe\" or\n                  process.name : \"cmstp.exe\" or\n                  process.name : \"csi.exe\" or\n                  process.name : \"dnx.exe\" or\n                  process.name : \"fsi.exe\" or\n                  process.name : \"ieexec.exe\" or\n                  process.name : \"iexpress.exe\" or\n                  process.name : \"odbcconf.exe\" or\n                  process.name : \"rcsi.exe\" or\n                  process.name : \"xwizard.exe\")]\n",
+    "risk_score": 21,
+    "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
+        },
+        "technique": [
+          {
+            "id": "T1127",
+            "name": "Trusted Developer Utilities Proxy Execution",
+            "reference": "https://attack.mitre.org/techniques/T1127/"
+          }
+        ]
+      }
+    ],
+    "type": "eql",
+    "version": 5
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.",
+    "false_positives": [
+      "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "linux_rare_sudo_user",
+    "name": "Unusual Sudo Activity",
+    "risk_score": 21,
+    "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "ML"
+    ],
+    "threat": [
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      },
+      {
+        "framework": "MITRE ATT&CK",
+        "tactic": {
+          "id": "TA0004",
+          "name": "Privilege Escalation",
+          "reference": "https://attack.mitre.org/tactics/TA0004/"
+        },
+        "technique": [
+          {
+            "id": "T1548",
+            "name": "Abuse Elevation Control Mechanism",
+            "reference": "https://attack.mitre.org/techniques/T1548/"
+          }
+        ]
+      }
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.",
+    "false_positives": [
+      "Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_urls",
+    "name": "Unusual Web Request",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.",
+    "false_positives": [
+      "Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "packetbeat_rare_user_agent",
+    "name": "Unusual Web User Agent",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Network",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.",
+    "false_positives": [
+      "A newly installed program or one that rarely uses the network could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_network_activity_ecs",
+    "name": "Unusual Windows Network Activity",
+    "note": "### Investigating Unusual Network Activity ###\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.",
+    "false_positives": [
+      "A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_path_activity_ecs",
+    "name": "Unusual Windows Path Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_metadata_process",
+    "name": "Unusual Windows Process Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.",
+    "false_positives": [
+      "Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_user_type10_remote_login",
+    "name": "Unusual Windows Remote User",
+    "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.",
+    "false_positives": [
+      "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_service",
+    "name": "Unusual Windows Service",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 75,
+    "author": [
+      "Elastic"
+    ],
+    "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.",
+    "false_positives": [
+      "A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_metadata_user",
+    "name": "Unusual Windows User Calling the Metadata Service",
+    "risk_score": 21,
+    "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 1
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.",
+    "false_positives": [
+      "Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_rare_user_runas_event",
+    "name": "Unusual Windows User Privilege Elevation Activity",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
+  },
+  {
+    "anomaly_threshold": 50,
+    "author": [
+      "Elastic"
+    ],
+    "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.",
+    "false_positives": [
+      "Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."
+    ],
+    "from": "now-45m",
+    "interval": "15m",
+    "license": "Elastic License",
+    "machine_learning_job_id": "windows_anomalous_user_name_ecs",
+    "name": "Unusual Windows Username",
+    "note": "### Investigating an Unusual Windows User ###\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.",
+    "references": [
+      "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
+    ],
+    "risk_score": 21,
+    "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "ML"
+    ],
+    "type": "machine_learning",
+    "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.260Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.",
     "from": "now-9m",
-    "id": "ab894993-a865-4a03-9504-e9abf79f2d05",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
-    "language": "lucene",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 33,
-    "name": "Setuid Bit Set via chmod",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root",
-    "references": [],
+    "name": "User Account Creation",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
+    "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Persistence"
+    ],
     "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
-        },
-        "technique": [
-          {
-            "id": "T1166",
-            "name": "Setuid and Setgid",
-            "reference": "https://attack.mitre.org/techniques/T1166/"
-          }
-        ]
-      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
@@ -16446,109 +14066,88 @@
         },
         "technique": [
           {
-            "id": "T1166",
-            "name": "Setuid and Setgid",
-            "reference": "https://attack.mitre.org/techniques/T1166/"
+            "id": "T1136",
+            "name": "Create Account",
+            "reference": "https://attack.mitre.org/techniques/T1136/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.914Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.446Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-9m",
-    "id": "199b7a60-6cd7-472e-bd17-436dea6a2ed4",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Network Connection via Certutil",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:network and event.type:connection and process.name:certutil.exe and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
-    "references": [],
+    "name": "User Added as Owner for Azure Application",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:Success",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
+    "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0003",
+          "name": "Persistence",
+          "reference": "https://attack.mitre.org/tactics/TA0003/"
         },
         "technique": [
           {
-            "id": "T1105",
-            "name": "Ingress Tool Transfer",
-            "reference": "https://attack.mitre.org/techniques/T1105/"
+            "id": "T1098",
+            "name": "Account Manipulation",
+            "reference": "https://attack.mitre.org/techniques/T1098/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.916Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.262Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if administrator privileges are regularly assigned to Okta groups in your organization."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.",
+    "from": "now-25m",
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-6m",
-    "id": "84994a84-fe8b-46af-b69b-1da9895e13c5",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Administrator Privileges Assigned to Okta Group",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:group.privilege.grant",
+    "name": "User Added as Owner for Azure Service Principal",
+    "note": "The Azure Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:Success",
     "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
+      "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"
     ],
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "b8075894-0b62-46e5-977c-31275da34419",
+    "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
+      "Cloud",
+      "Azure",
+      "Continuous Monitoring",
       "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
+      "Configuration Audit"
     ],
     "threat": [
       {
@@ -16567,358 +14166,280 @@
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.912Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.238Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.",
+    "false_positives": [
+      "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks."
+    ],
     "from": "now-9m",
-    "id": "1eaa6c55-e155-4663-885b-b974fa6d2e9f",
-    "immutable": true,
-    "index": ["winlogbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Svchost spawning Cmd",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
-    "references": [],
+    "name": "User Discovery via Whoami",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2",
+    "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9",
     "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Windows"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0002",
-          "name": "Execution",
-          "reference": "https://attack.mitre.org/tactics/TA0002/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1059",
-            "name": "Command and Scripting Interpreter",
-            "reference": "https://attack.mitre.org/techniques/T1059/"
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.919Z",
-    "updated_by": "tudor@elastic.co",
     "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.329Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
     "false_positives": [
-      "WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "ff336c75-be8e-4f8e-85ed-c10fddae8c1c",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS WAF Rule or Rule Group Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
-      "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"
+    "name": "VNC (Virtual Network Computing) from the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)",
+    "risk_score": 73,
+    "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
     ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318",
-    "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
           }
         ]
-      }
-    ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:07.920Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.421Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
-    ],
-    "from": "now-60m",
-    "id": "0c886225-91f9-43ac-b512-fa4659a8b2ab",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS S3 Bucket Configuration Deletion",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
-      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
-      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
-      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
-      "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"
-    ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "227dc608-e558-43d9-b521-150772250bae",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": [
-      "AWS",
-      "Elastic",
-      "SecOps",
-      "Asset Visibility",
-      "Continuous Monitoring"
-    ],
-    "threat": [
+      },
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1070",
-            "name": "Indicator Removal on Host",
-            "reference": "https://attack.mitre.org/techniques/T1070/"
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.923Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.294Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
     "false_positives": [
-      "Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    ],
+    "index": [
+      "filebeat-*",
+      "packetbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "2c08698a-e45a-4d73-adc3-76bd8a72bdef",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS CloudTrail Log Updated",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"
+    "name": "VNC (Virtual Network Computing) to the Internet",
+    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
+    "risk_score": 47,
+    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Network",
+      "Threat Detection",
+      "Command and Control"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
-        },
-        "technique": [
-          {
-            "id": "T1492",
-            "name": "Stored Data Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1492/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0009",
-          "name": "Collection",
-          "reference": "https://attack.mitre.org/tactics/TA0009/"
+          "id": "TA0011",
+          "name": "Command and Control",
+          "reference": "https://attack.mitre.org/tactics/TA0011/"
         },
         "technique": [
           {
-            "id": "T1530",
-            "name": "Data from Cloud Storage Object",
-            "reference": "https://attack.mitre.org/techniques/T1530/"
+            "id": "T1219",
+            "name": "Remote Access Software",
+            "reference": "https://attack.mitre.org/techniques/T1219/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.906Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.934Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-6m",
-    "id": "209ea014-c87d-45de-9a63-61ebff4f929f",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.",
+    "false_positives": [
+      "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."
+    ],
+    "from": "now-9m",
+    "index": [
+      "auditbeat-*",
+      "logs-endpoint.events.*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "SMB (Windows File Sharing) Activity to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
+    "name": "Virtual Machine Fingerprinting",
+    "query": "event.category:process and event.type:(start or process_started) and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root",
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a",
+    "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Linux",
+      "Threat Detection",
+      "Discovery"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1190",
-            "name": "Exploit Public-Facing Application",
-            "reference": "https://attack.mitre.org/techniques/T1190/"
+            "id": "T1082",
+            "name": "System Information Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1082/"
           }
         ]
-      },
+      }
+    ],
+    "type": "query",
+    "version": 4
+  },
+  {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License",
+    "name": "Volume Shadow Copy Deletion via VssAdmin",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:vssadmin.exe and process.args:(delete and shadows)",
+    "risk_score": 73,
+    "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921",
+    "severity": "high",
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
+    "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1048",
-            "name": "Exfiltration Over Alternative Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1048/"
+            "id": "T1490",
+            "name": "Inhibit System Recovery",
+            "reference": "https://attack.mitre.org/techniques/T1490/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.911Z",
-    "updated_by": "tudor@elastic.co",
     "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.254Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies an AWS configuration change to stop recording a designated set of resources.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "a92297d0-4a61-4ac6-bfba-c79f7f57b59c",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS Configuration Recorder Stopped",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
-      "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"
-    ],
+    "name": "Volume Shadow Copy Deletion via WMIC",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:WMIC.exe and process.args:(delete and shadowcopy)",
     "risk_score": 73,
-    "risk_score_mapping": [],
-    "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435",
+    "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57",
     "severity": "high",
-    "severity_mapping": [],
-    "tags": ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
@@ -16929,610 +14450,369 @@
         },
         "technique": [
           {
-            "id": "T1089",
-            "name": "Disabling Security Tools",
-            "reference": "https://attack.mitre.org/techniques/T1089/"
+            "id": "T1107",
+            "name": "File Deletion",
+            "reference": "https://attack.mitre.org/techniques/T1107/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.922Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.352Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to modify an Okta multi-factor authentication (MFA) rule in order to remove or weaken an organization's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to a web application server contained no identifying user agent string.",
     "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+      "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "filters": [
+      {
+        "$state": {
+          "store": "appState"
+        },
+        "exists": {
+          "field": "user_agent.original"
+        },
+        "meta": {
+          "disabled": false,
+          "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "key": "user_agent.original",
+          "negate": true,
+          "type": "exists",
+          "value": "exists"
+        }
+      }
+    ],
+    "index": [
+      "apm-*-transaction*"
     ],
-    "from": "now-6m",
-    "id": "e24d609a-112b-4178-bf13-10da86788cd1",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Modify Okta MFA Rule",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete)",
+    "name": "Web Application Suspicious Activity: No User Agent",
+    "query": "url.path:*",
     "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
+      "https://en.wikipedia.org/wiki/User_agent"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
-    "severity": "low",
-    "severity_mapping": [],
+    "risk_score": 47,
+    "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d",
+    "severity": "medium",
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "APM"
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.925Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.005Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed",
     "false_positives": [
-      "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious."
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
     ],
-    "from": "now-9m",
-    "id": "17eb4156-8da8-46f1-bec2-c768d714d9da",
-    "immutable": true,
-    "index": ["auditbeat-*", "logs-endpoint.events.*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Mknod Process Activity",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:process and event.type:(start or process_started) and process.name:mknod",
+    "name": "Web Application Suspicious Activity: POST Request Declined",
+    "query": "http.response.status_code:403 and http.request.method:post",
     "references": [
-      "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/"
+      "https://en.wikipedia.org/wiki/HTTP_403"
+    ],
+    "risk_score": 47,
+    "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "APM"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Linux"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.926Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.481Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-20m",
-    "id": "a4341043-0fe2-408a-80fa-0abf449affab",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "5m",
+    "author": [
+      "Elastic"
+    ],
+    "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource",
+    "false_positives": [
+      "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
+    ],
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS IAM Brute Force of Assume Role Policy",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure",
+    "name": "Web Application Suspicious Activity: Unauthorized Method",
+    "query": "http.response.status_code:405",
     "references": [
-      "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities",
-      "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
+      "https://en.wikipedia.org/wiki/HTTP_405"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636",
+    "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
-    ],
-    "threat": [
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0006",
-          "name": "Credential Access",
-          "reference": "https://attack.mitre.org/tactics/TA0006/"
-        },
-        "technique": [
-          {
-            "id": "T1110",
-            "name": "Brute Force",
-            "reference": "https://attack.mitre.org/techniques/T1110/"
-          }
-        ]
-      }
+      "APM"
     ],
-    "threshold": {
-      "field": "",
-      "value": 25
-    },
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "threshold",
-    "updated_at": "2020-10-07T10:12:07.917Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "type": "query",
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.323Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.",
     "false_positives": [
-      "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."
+      "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."
+    ],
+    "index": [
+      "apm-*-transaction*"
     ],
-    "from": "now-6m",
-    "id": "d63c2248-0c5e-4ea5-9853-1008576c3939",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Modification or Removal of an Okta Application Sign-On Policy",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)",
+    "name": "Web Application Suspicious Activity: sqlmap User Agent",
+    "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
     "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
+      "http://sqlmap.org/"
     ],
     "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe",
+    "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820",
     "severity": "medium",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "APM"
     ],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.928Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.315Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.",
-    "enabled": false,
-    "exceptions_list": [],
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.",
     "false_positives": [
-      "Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+      "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."
+    ],
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-60m",
-    "id": "f99659c1-3931-4442-819e-46f37f3dc8b6",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-aws*"],
-    "interval": "10m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "AWS EC2 Encryption Disabled",
-    "note": "The AWS Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success",
-    "references": [
-      "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
-      "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
-      "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69",
-    "severity": "medium",
-    "severity_mapping": [],
+    "name": "Whoami Process Activity",
+    "query": "event.category:process and event.type:(start or process_started) and process.name:whoami.exe",
+    "risk_score": 21,
+    "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2",
+    "severity": "low",
     "tags": [
-      "AWS",
       "Elastic",
-      "SecOps",
-      "Data Protection",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Discovery"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0040",
-          "name": "Impact",
-          "reference": "https://attack.mitre.org/tactics/TA0040/"
+          "id": "TA0007",
+          "name": "Discovery",
+          "reference": "https://attack.mitre.org/tactics/TA0007/"
         },
         "technique": [
           {
-            "id": "T1492",
-            "name": "Stored Data Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1492/"
+            "id": "T1033",
+            "name": "System Owner/User Discovery",
+            "reference": "https://attack.mitre.org/techniques/T1033/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:07.929Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
-  },
-  {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.219Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [],
-    "from": "now-15m",
-    "id": "93de88b0-72d2-43b3-9d87-346f2abeedc6",
-    "immutable": true,
-    "index": ["endgame-*"],
-    "interval": "10m",
-    "language": "kuery",
-    "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Malware - Detected - Endpoint Security",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)",
-    "references": [],
-    "risk_score": 99,
-    "risk_score_mapping": [],
-    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
-    "severity": "critical",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Endpoint"],
-    "threat": [],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.931Z",
-    "updated_by": "tudor@elastic.co",
     "version": 4
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.422Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "An adversary may deactivate multi-factor authentication (MFA) for an Okta user account in order to weaken the authentication requirements for the account.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."
+    "author": [
+      "Elastic"
+    ],
+    "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.",
+    "index": [
+      "winlogbeat-*"
     ],
-    "from": "now-6m",
-    "id": "7051d159-5337-4d79-bfdb-606084f83d06",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Attempt to Deactivate MFA for Okta User Account",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
+    "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
+    "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"",
     "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8",
+    "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3",
     "severity": "low",
-    "severity_mapping": [],
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Identity and Access",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1098",
-            "name": "Account Manipulation",
-            "reference": "https://attack.mitre.org/techniques/T1098/"
+            "id": "T1116",
+            "name": "Code Signing",
+            "reference": "https://attack.mitre.org/techniques/T1116/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.934Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 3
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.328Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "A user may report suspicious activity on their Okta account in error."
+    "author": [
+      "Elastic"
+    ],
+    "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
+    "from": "now-9m",
+    "index": [
+      "winlogbeat-*",
+      "logs-endpoint.events.*"
     ],
-    "from": "now-6m",
-    "id": "40bb407a-fe8a-4072-8ad5-e6e727acb66d",
-    "immutable": true,
-    "index": ["filebeat-*", "logs-okta*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "Suspicious Activity Reported by Okta User",
-    "note": "The Okta Filebeat module must be enabled to use this rule.",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser",
-    "references": [
-      "https://developer.okta.com/docs/reference/api/system-log/",
-      "https://developer.okta.com/docs/reference/api/event-types/"
-    ],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588",
-    "severity": "medium",
-    "severity_mapping": [],
+    "name": "Windows Script Executing PowerShell",
+    "query": "event.category:process and event.type:(start or process_started) and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe",
+    "risk_score": 21,
+    "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
+    "severity": "low",
     "tags": [
       "Elastic",
-      "Okta",
-      "SecOps",
-      "Monitoring",
-      "Continuous Monitoring"
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Execution"
     ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0001",
-          "name": "Initial Access",
-          "reference": "https://attack.mitre.org/tactics/TA0001/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0003",
-          "name": "Persistence",
-          "reference": "https://attack.mitre.org/tactics/TA0003/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0004",
-          "name": "Privilege Escalation",
-          "reference": "https://attack.mitre.org/tactics/TA0004/"
-        },
-        "technique": [
-          {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0005",
-          "name": "Defense Evasion",
-          "reference": "https://attack.mitre.org/tactics/TA0005/"
+          "id": "TA0002",
+          "name": "Execution",
+          "reference": "https://attack.mitre.org/tactics/TA0002/"
         },
         "technique": [
           {
-            "id": "T1078",
-            "name": "Valid Accounts",
-            "reference": "https://attack.mitre.org/techniques/T1078/"
+            "id": "T1193",
+            "name": "Spearphishing Attachment",
+            "reference": "https://attack.mitre.org/techniques/T1193/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:07.936Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 2
+    "version": 5
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:06.471Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."
+    "author": [
+      "Elastic"
     ],
-    "from": "now-6m",
-    "id": "17182c19-a63a-4b99-b55c-f9f02ba8d0b1",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
-    "language": "kuery",
+    "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.",
+    "from": "now-9m",
+    "index": [
+      "logs-endpoint.events.*",
+      "winlogbeat-*"
+    ],
+    "language": "eql",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "VNC (Virtual Network Computing) to the Internet",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"::1\")",
-    "references": [],
-    "risk_score": 47,
-    "risk_score_mapping": [],
-    "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf",
+    "name": "Windows Suspicious Script Object Execution",
+    "query": "/* add winlogbeat-* when process.code_signature.* fields are populated */\n\nsequence by process.entity_id with maxspan=2m\n  [process where event.type in (\"start\", \"process_started\") and\n     /* uncomment once in winlogbeat */\n     /* process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and */\n     not (process.name : \"cscript.exe\" or\n          process.name : \"iexplore.exe\" or\n          process.name : \"MicrosoftEdge.exe\" or\n          process.name : \"msiexec.exe\" or\n          process.name : \"smartscreen.exe\" or\n          process.name : \"taskhostw.exe\" or\n          process.name : \"w3wp.exe\" or\n          process.name : \"wscript.exe\")]\n  [library where event.type == \"start\" and file.name : \"scrobj.dll\"]\n",
+    "risk_score": 21,
+    "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff",
     "severity": "medium",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
+    "tags": [
+      "Elastic",
+      "Host",
+      "Windows",
+      "Threat Detection",
+      "Defense Evasion"
+    ],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
+          "id": "TA0005",
+          "name": "Defense Evasion",
+          "reference": "https://attack.mitre.org/tactics/TA0005/"
         },
         "technique": [
           {
-            "id": "T1219",
-            "name": "Remote Access Software",
-            "reference": "https://attack.mitre.org/techniques/T1219/"
+            "id": "T1064",
+            "name": "Scripting",
+            "reference": "https://attack.mitre.org/techniques/T1064/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
-    "type": "query",
-    "updated_at": "2020-10-07T10:12:08.052Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 5
+    "type": "eql",
+    "version": 1
   },
   {
-    "actions": [],
-    "author": ["Elastic"],
-    "created_at": "2020-10-05T15:46:05.852Z",
-    "created_by": "marra.sherrier@elastic.co",
-    "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.",
-    "enabled": false,
-    "exceptions_list": [],
-    "false_positives": [
-      "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."
+    "author": [
+      "Elastic"
+    ],
+    "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.",
+    "index": [
+      "filebeat-*"
     ],
-    "from": "now-6m",
-    "id": "6d9d9376-87ee-46ed-a2b1-5559f468fe52",
-    "immutable": true,
-    "index": ["filebeat-*", "packetbeat-*"],
-    "interval": "5m",
     "language": "kuery",
     "license": "Elastic License",
-    "max_signals": 100,
-    "name": "SMTP on Port 26/TCP",
-    "output_index": ".siem-signals-siem-estc-dev-default",
-    "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+    "name": "Zoom Meeting with no Passcode",
+    "note": "This rule requires the Zoom Filebeat module.",
+    "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:*",
     "references": [
-      "https://unit42.paloaltonetworks.com/unit42-badpatch/",
-      "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
+      "https://blog.zoom.us/a-message-to-our-users/",
+      "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"
+    ],
+    "risk_score": 47,
+    "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba",
+    "severity": "medium",
+    "tags": [
+      "Elastic",
+      "Application",
+      "Communication",
+      "Zoom",
+      "Continuous Monitoring",
+      "SecOps",
+      "Configuration Audit"
     ],
-    "risk_score": 21,
-    "risk_score_mapping": [],
-    "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d",
-    "severity": "low",
-    "severity_mapping": [],
-    "tags": ["Elastic", "Network"],
     "threat": [
       {
         "framework": "MITRE ATT&CK",
         "tactic": {
-          "id": "TA0011",
-          "name": "Command and Control",
-          "reference": "https://attack.mitre.org/tactics/TA0011/"
-        },
-        "technique": [
-          {
-            "id": "T1043",
-            "name": "Commonly Used Port",
-            "reference": "https://attack.mitre.org/techniques/T1043/"
-          }
-        ]
-      },
-      {
-        "framework": "MITRE ATT&CK",
-        "tactic": {
-          "id": "TA0010",
-          "name": "Exfiltration",
-          "reference": "https://attack.mitre.org/tactics/TA0010/"
+          "id": "TA0001",
+          "name": "Initial Access",
+          "reference": "https://attack.mitre.org/tactics/TA0001/"
         },
         "technique": [
           {
-            "id": "T1048",
-            "name": "Exfiltration Over Alternative Protocol",
-            "reference": "https://attack.mitre.org/techniques/T1048/"
+            "id": "T1190",
+            "name": "Exploit Public-Facing Application",
+            "reference": "https://attack.mitre.org/techniques/T1190/"
           }
         ]
       }
     ],
-    "throttle": "no_actions",
-    "to": "now",
     "type": "query",
-    "updated_at": "2020-10-07T10:12:08.073Z",
-    "updated_by": "tudor@elastic.co",
-    "version": 4
+    "version": 1
   }
-]
+]
\ No newline at end of file
diff --git a/prebuilt-rules-scripts/update_current_text.py b/prebuilt-rules-scripts/update_current_text.py
index cf6fb39140..e749fec004 100644
--- a/prebuilt-rules-scripts/update_current_text.py
+++ b/prebuilt-rules-scripts/update_current_text.py
@@ -6,7 +6,7 @@
 from pathlib import Path
 import re
 
-releaseVersion = "7.9.1" #Security app release version - update as required
+releaseVersion = "7.10.0" #Security app release version - update as required
 
 def sort_by_name(rule):
     '''