diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index c567ad89f..27c9ce51e 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 0b5d652fd..17b0f004b 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index edab01552..d3ae5ec27 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 75 diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index f0725aa91..479bddbea 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 75 diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index b61fba180..14b936487 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 75 diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 9ada6eca8..6e6e84e73 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/08/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index cd4ee9187..0b7e329be 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 75 diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 9b7646f30..7e0699045 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 75 diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 8e2533acf..a010cb7e7 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 89ccc71f7..33d8ed759 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index e9dc2c508..2e6b05829 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 75 diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 9bdf47010..43a98b856 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index 23fd8dfc0..6eb22e315 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index 5fdd2d4a6..8637ff9cf 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index a17357a16..5347e5c00 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index ecc0bb7c7..d21e63068 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 39a9d623f..cc7adf6f4 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index b80a807ed..0ef4f801c 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index ac98225fd..63938309c 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index a4a9a6ceb..e996d8761 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] anomaly_threshold = 50 diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 95d38e465..9ac967089 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index d879df610..921f28610 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 90f10a09b..5b1150f75 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 084dd5ab1..2b54cbba5 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 2b7445b05..9515031a2 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -2,8 +2,10 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/01" +updated_date = "2024/10/28" bypass_bbr_timing = true +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index f1c91c594..5cb1e8fc4 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 438157e34..45e62b406 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 057ed0bef..5e901e34f 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 17f756e39..68ad590b5 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index af08c1ad6..f0718951b 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 64e90b840..1c7efb230 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_posh_defender_tampering.toml b/rules_building_block/defense_evasion_posh_defender_tampering.toml index 2d4726976..d512e6238 100644 --- a/rules_building_block/defense_evasion_posh_defender_tampering.toml +++ b/rules_building_block/defense_evasion_posh_defender_tampering.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/09/11" integration = ["windows"] maturity = "production" -updated_date = "2024/09/11" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index 1987bfdb2..ed5067dbc 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index f92f56dfa..d8411c0a5 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index f0c502adc..f31ea2967 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/29" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index b4c6cbd8b..6928b4187 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index b360cffe9..f5ab763eb 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index 1b040ee91..de838caec 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 54db4204e..927b78220 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index e794fc9de..5cd753d86 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index c604a317f..3194c5290 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 2b71644a8..2a994dd41 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index b3ee1d1d7..99cc4afdb 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/04/05" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 717f91f01..3178120fd 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index 79995fdde..7c419eed4 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index d9d91405e..c70601ed3 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 81a976b3d..af6dab02a 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index 411b3322e..e359ebfef 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 4e8ad5e35..7e0591100 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 91a591155..7d63c514b 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index a1da33dda..0125b3949 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 41a64eb14..d4a1efd3b 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"]