[Tuning] Add logs-system. index where applicable (#3390)

* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2024-01-17 13:49:59 +00:00
parent 71cec2a0e1
commit 27262a585b
59 changed files with 219 additions and 224 deletions
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/01/13"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/03"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -37,7 +37,7 @@ description = """
 Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential File Transfer via Certreq"
@@ -104,7 +104,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- (process.name : "CertReq.exe" or process.pe.original_file_name == "CertReq.exe") and process.args : "-Post"
+ (process.name : "CertReq.exe" or ?process.pe.original_file_name == "CertReq.exe") and process.args : "-Post"
 '''


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/11"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/16"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl
 may indicate command and control activity utilizing the DNS protocol.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential DNS Tunneling via NsLookup"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/12/07"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -70,7 +70,7 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A
 download arbitrary files as an alternative to certutil.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Desktopimgdownldr Utility"
@@ -160,7 +160,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "desktopimgdownldr.exe" or process.pe.original_file_name == "desktopimgdownldr.exe") and
+  (process.name : "desktopimgdownldr.exe" or ?process.pe.original_file_name == "desktopimgdownldr.exe") and
  process.args : "/lockscreenurl:http*"
 '''

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/12/07"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -67,7 +67,7 @@ providers = [
 author = ["Elastic"]
 description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via MpCmdRun"
@@ -157,7 +157,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "MpCmdRun.exe" or process.pe.original_file_name == "MpCmdRun.exe") and
+  (process.name : "MpCmdRun.exe" or ?process.pe.original_file_name == "MpCmdRun.exe") and
   process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/24"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/03"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -38,7 +38,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o
 Those files contain sensitive information including hashed domain and/or local credentials.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -122,12 +122,12 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  (
-    (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and
+    ((?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") or process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE")) and
       process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv")
    ) or
-    (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*"))
+    ((?process.pe.original_file_name : "esentutl.exe" or process.name : "esentutl.exe") and process.args : ("*/y*", "*/vss*", "*/d*"))
  ) and
-  process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*")
+  process.command_line : ("*\\ntds.dit*", "*\\config\\SAM*", "*\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*", "*\\User Data\\*")
 '''


@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/11/23"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
 description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Credential Acquisition via Registry Hive Dumping"
@@ -83,7 +83,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.pe.original_file_name == "reg.exe" and
+ (?process.pe.original_file_name == "reg.exe" or process.name : "reg.exe") and
 process.args : ("save", "export") and
 process.args : ("hklm\\sam", "hklm\\security")
 '''
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be
 with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -36,7 +36,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-   (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and
+   (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and
   process.args : "/list" and process.args : "/text*password"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str
 password using aspnet_regiis command.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -40,7 +40,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and
+  (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
  process.args : "connectionStrings" and process.args : "-pdf"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/11/01"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 author = ["Elastic"]
 description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Wireless Credential Dumping using Netsh Command"
@@ -103,7 +103,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and
+ (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and
  process.args : "wlan" and process.args : "key*clear"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -35,7 +35,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 author = ["Elastic"]
 description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Adding Hidden File Attribute via Attrib"
@@ -103,11 +103,8 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "attrib.exe" or process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and
-  not
-  (process.parent.name: "cmd.exe" and
-    process.command_line: "attrib  +R +H +S +A *.cui" and
-    process.parent.command_line: "?:\\WINDOWS\\system32\\cmd.exe /c \"?:\\WINDOWS\\system32\\*.bat\"")
+  (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and
+  not (process.parent.name: "cmd.exe" and process.command_line: "attrib  +R +H +S +A *.cui")
 '''


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/11/22"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Austin Songer"]
@@ -13,7 +13,7 @@ Identifies when a user attempts to clear console history. An adversary may clear
 account to conceal the actions undertaken during an intrusion.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*",  "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Console History"
@@ -80,7 +80,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and
+  (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name == "PowerShell.EXE") and
     (process.args : "*Clear-History*" or
     (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or
     (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*"))
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w
 attackers in an attempt to evade detection or destroy forensic evidence on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Event Logs"
@@ -77,7 +77,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
 (
  (
-    (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and
+    (process.name : "wevtutil.exe" or ?process.pe.original_file_name == "wevtutil.exe") and
    process.args : ("/e:false", "cl", "clear-log")
  ) or
  (
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/01/31"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -27,7 +27,7 @@ authenticity on a program, and grants the user with the ability to check whether
 By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. 
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Code Signing Policy Modification Through Built-in tools"
@@ -96,7 +96,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name: "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and 
+  (process.name: "bcdedit.exe" or ?process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and 
  process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS")
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/07/20"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies modifications to the Windows Defender configuration settings using Po
 directory or process level.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Defender Exclusions Added via PowerShell"
@@ -93,7 +93,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and
+ (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and
  process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and
  process.args : ("*-Exclusion*")
 '''
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is
 of files created during post-exploitation activities.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Delete Volume USN Journal with Fsutil"
@@ -58,7 +58,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and
+  (process.name : "fsutil.exe" or ?process.pe.original_file_name == "fsutil.exe") and
  process.args : "deletejournal" and process.args : "usn"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke
 disable the firewall during troubleshooting or to enable network mobility.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Firewall Rules via Netsh"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/05/06"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
@@ -13,7 +13,7 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe
 attackers in an attempt to evade detection on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Event and Security Logs Using Built-in Tools"
@@ -79,14 +79,14 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
 (
-  ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and
+  ((process.name:"logman.exe" or ?process.pe.original_file_name == "Logman.exe") and
      process.args : "EventLog-*" and process.args : ("stop", "delete")) or

-  ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in
+  ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or ?process.pe.original_file_name in
      ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and
 	process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled")  or

-  ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable")
+  ((process.name:"auditpol.exe" or ?process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable")
 )
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/13"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote
 the Windows Firewall.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Desktop Enabled in Windows Firewall by Netsh"
@@ -79,7 +79,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and
+ (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and
 process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and
 process.args : ("action=allow", "enable=Yes", "enable")
 '''
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/09/08"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths
 Adversaries may abuse control.exe to proxy execution of malicious code.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Control Panel Process with Unusual Arguments"
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2020/10/13"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
@@ -38,7 +38,7 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load
 as a defense evasion technique to blend-in malicious activity with legitimate Windows software.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "ImageLoad via Windows Update Auto Update Client"
@@ -120,7 +120,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and
+  (?process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and
   /* necessary windows update client args to load a dll */
   process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and
   /* common paths writeable by a standard user where the target DLL can be placed */
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/03/25"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started an Unusual Process"
@@ -47,8 +47,8 @@ timestamp_override = "event.ingested"
 type = "new_terms"

 query = '''
-host.os.type:windows and event.category:process and event.type:start and process.parent.name:"MSBuild.exe" and
-process.name.caseless:("csc.exe" or "iexplore.exe" or "powershell.exe")
+host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and
+process.name:("csc.exe" or "iexplore.exe" or "powershell.exe")
 '''

 [[rule.threat]]
@@ -82,7 +82,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "user.name", "process.parent.command_line"]
+value = ["host.id", "user.name"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/04/14"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on
 access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -70,7 +70,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and
+  (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and
  process.args : "/dontLog*:*True" and
  not process.parent.name : "iissetup.exe"
 '''
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ Certificate Services. CertUtil is often abused by attackers to live off the land
 data exfiltration.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious CertUtil Commands"
@@ -110,7 +110,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and
+  (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") and
  process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX")
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/04"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies processes running from an Alternate Data Stream. This is uncommon for
 by adversaries to hide malware.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Process Execution Path - Alternate Data Stream"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/03/02"
-integration = ["windows"]
+integration = ["windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -13,7 +13,7 @@ Identifies the use of Windows Work Folders to execute a potentially masqueraded
 directory. Misuse of Windows Work Folders could indicate malicious activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Signed Proxy Execution via MS Work Folders"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/01/13"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/12/21"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -13,7 +13,7 @@ Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversarie
 and use WSL for Linux to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Execution via Windows Subsystem for Linux"
@@ -33,12 +33,12 @@ query = '''
 process where host.os.type == "windows" and event.type : "start" and
  (
    (
-      (process.executable : "?:\\Windows\\System32\\bash.exe" or process.pe.original_file_name == "Bash.exe") and 
+      (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and 
      not process.command_line : ("bash", "bash.exe")
    ) or 
    process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or 
    (
-      process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
+      process.parent.name : "wsl.exe" and ?process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
    ) or 
    (
      process.name : "wsl.exe" and process.args : (
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2023/01/12"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 updated_date = "2023/12/21"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
@@ -13,7 +13,7 @@ Detects attempts to execute a program on the host from the Windows Subsystem for
 Adversaries may enable and use WSL for Linux to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution via Windows Subsystem for Linux"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/01/13"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/09/13"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -13,7 +13,7 @@ Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism
 and use WSL for Linux to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Subsystem for Linux Enabled via Dism Utility"
@@ -63,7 +63,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type : "start" and
- (process.name : "Dism.exe" or process.pe.original_file_name == "DISM.EXE") and 
+ (process.name : "Dism.exe" or ?process.pe.original_file_name == "DISM.EXE") and 
 process.command_line : "*Microsoft-Windows-Subsystem-Linux*"
 '''

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/01/12"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/07/20"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -13,7 +13,7 @@ Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. A
 enable and use WSL for Linux to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Attempt to Install Kali Linux via WSL"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna
 observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AdFind Command Activity"
@@ -79,7 +79,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and
+  (process.name : "AdFind.exe" or ?process.pe.original_file_name == "AdFind.exe") and
  process.args : ("objectcategory=computer", "(objectcategory=computer)",
                  "objectcategory=person", "(objectcategory=person)",
                  "objectcategory=subnet", "(objectcategory=subnet)",
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/04"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/12/21"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies instances of lower privilege accounts enumerating Administrator accou
 tools.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Administrator Accounts"
@@ -77,15 +77,15 @@ process where host.os.type == "windows" and event.type == "start" and
 (
  (
    (
-      (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
-      ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe")
+      (process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or
+      ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe")
    ) and
    process.args : ("group", "user", "localgroup") and
    process.args : ("*admin*", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management")
    and not process.args : ("/add", "/delete")
  ) or
  (
-    (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
+    (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and
    process.args : ("group", "useraccount")
  )
 ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/01/27"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/27"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    "Domain administrators may use this command-line utility for legitimate information gathering purposes.",
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumerating Domain Trusts via DSQUERY.EXE"
@@ -65,7 +65,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-    (process.name : "dsquery.exe" or process.pe.original_file_name: "dsquery.exe") and 
+    (process.name : "dsquery.exe" or ?process.pe.original_file_name: "dsquery.exe") and 
    process.args : "*objectClass=trustedDomain*"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/05/31"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/14"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumerating Domain Trusts via NLTEST.EXE"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/14"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ false_positives = [
    "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Command Execution via SolarWinds Process"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -35,7 +35,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Svchost spawning Cmd"
@@ -117,8 +117,7 @@ timestamp_override = "event.ingested"
 type = "new_terms"

 query = '''
-host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and 
-process.name.caseless:"cmd.exe"
+host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE")
 '''

 [[rule.threat]]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/01/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies native Windows host and network enumeration commands spawned by the W
 Provider Service (WMIPrvSE).
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration Command Spawned via WMIPrvSE"
@@ -39,7 +39,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "windows" and event.type == "start" and
+process where host.os.type == "windows" and event.type == "start" and process.command_line != null and 
  process.name:
  (
    "arp.exe",
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/30"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ Identifies process execution from suspicious default Windows directories. This m
 malware in trusted paths.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution from Unusual Directory - Command Line"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta
 be indicative of adversary lateral movement.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Cmd Execution via WMI"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o
 system recovery.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Deleting Backup Catalogs with Wbadmin"
@@ -74,7 +74,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "wbadmin.exe" or process.pe.original_file_name == "WBADMIN.EXE") and
+  (process.name : "wbadmin.exe" or ?process.pe.original_file_name == "WBADMIN.EXE") and
  process.args : "catalog" and process.args : "delete"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints
 ransomware or other destructive attacks.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Shadow Copy Deleted or Resized via VssAdmin"
@@ -93,7 +93,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start"
-  and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and
+  and (process.name : "vssadmin.exe" or ?process.pe.original_file_name == "VSSADMIN.EXE") and
  process.args in ("delete", "resize") and process.args : "shadows*"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/07/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -13,7 +13,7 @@ Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve
 occurs in tandem with ransomware or other destructive attacks.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Shadow Copy Deletion via PowerShell"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/03/04"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/03"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Exchange Server UM Spawning Suspicious Processes"
@@ -41,7 +41,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-  process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
+  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
 '''


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ These child processes are often launched during exploitation of Office applicati
 macros.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious MS Office Child Process"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe
 phishing activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious MS Outlook Child Process"
@@ -4,7 +4,7 @@ integration = ["windows", "system"]
 maturity = "production"
 min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 min_stack_version = "8.4.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ bypassing normal system access controls. Pass the hash (PtH) is a method of auth
 without having access to the user's cleartext password. 
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Pass-the-Hash (PtH) Attempt"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -34,7 +34,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati
 testers may run a shell as a service to gain SYSTEM permissions.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "System Shells via Services"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ changes over time. This Windows functionality has been abused by attackers to st
 code execution in legitimate Windows processes.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Application Shimming via Sdbinst"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/17"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/17"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas
 integrity level of system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Persistence via TelemetryController Scheduled Task Hijack"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/04"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ bindings that execute code when a defined event occurs. Adversaries may use the
 event and execute arbitrary code when that event occurs, providing persistence on a system.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Persistence via WMI Event Subscription"
@@ -36,7 +36,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
+  (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and
  process.args : "create" and
  process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer")
 '''
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/14"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may
 using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution via MSSQL xp_cmdshell Stored Procedure"
@@ -74,11 +74,11 @@ process where host.os.type == "windows" and event.type == "start" and process.pa
    not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", 
                        "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or 
                        
-   (process.name : "vpnbridge.exe" or process.pe.original_file_name : "vpnbridge.exe") or 
+   (process.name : "vpnbridge.exe" or ?process.pe.original_file_name : "vpnbridge.exe") or 

-   (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") or 
+   (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") or 

-   (process.name : "bitsadmin.exe" or process.pe.original_file_name == "bitsadmin.exe")
+   (process.name : "bitsadmin.exe" or ?process.pe.original_file_name == "bitsadmin.exe")
  )
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/08/24"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/09"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Web Shell Detection: Script Process Child of Common Web Processes"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/23"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ Identifies a privilege escalation attempt via named pipe impersonation. An adver
 utilizing a framework such Metasploit's meterpreter getsystem command.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Privilege Escalation via Named Pipe Impersonation"
@@ -124,7 +124,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and
+ (process.name : ("Cmd.Exe", "PowerShell.EXE") or ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE")) and
 process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*"
 '''

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/10/20"
-integration = ["windows"]
+integration = ["windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation of a process running as SYSTEM and impersonating a Windo
 may create a new process with a different token to escalate privileges and bypass access controls.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "SeDebugPrivilege Enabled by a Suspicious Process"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled
 stealthily execute code with elevated permissions.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "UAC Bypass via DiskCleanup Scheduled Task Hijack"
@@ -34,7 +34,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.args : "/autoclean" and process.args : "/d" and
+ process.args : "/autoclean" and process.args : "/d" and process.executable != null and 
 not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe",
                           "C:\\Windows\\SysWOW64\\cleanmgr.exe",
                           "C:\\Windows\\System32\\taskhostw.exe")
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/17"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -39,7 +39,7 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass
 elevated permissions.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Bypass UAC via Event Viewer"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/10/26"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -39,7 +39,7 @@ Identifies an attempt to bypass User Account Control (UAC) by masquerading as a
 Attackers may bypass UAC to stealthily execute code with elevated permissions.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "UAC Bypass Attempt via Windows Directory Masquerading"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -39,7 +39,7 @@ Identifies Windows programs run from unexpected parent processes. This could ind
 activity on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Parent-Child Relationship"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/07/06"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/16"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Print Spooler Child Process"
@@ -41,9 +41,8 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.parent.name : "spoolsv.exe" and
- (?process.Ext.token.integrity_level_name : "System" or
- ?winlog.event_data.IntegrityLevel : "System") and
+ process.parent.name : "spoolsv.exe" and process.command_line != null and 
+ (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and

 /* exclusions for FP control below */
 not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and