[Rule Tuning] Minor Rule Tweaks for 7.10 (#400)

* Tweak Rules for 7.10 * Add endpoint index for packetbeat rules * update unit test to account for Network tag as well * update modified date, add endpoint tag * use Host instead of Endpoint * Update packaging.py * add v back to changelog url * Add "tag" comment to get_markdown_rule_info Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-10-22 09:07:04 -04:00
parent 0a992d716a
commit 2e422f7159
32 changed files with 81 additions and 80 deletions
@@ -318,6 +318,7 @@ class Package(object):
            return rule_str

        def get_markdown_rule_info(r: Rule, sd):
+            # lookup the rule in the GitHub tag v{major.minor.patch}
            rules_dir_link = f'https://github.com/elastic/detection-rules/tree/v{self.name}/rules/{sd}/'
            rule_type = r.contents['language'] if r.type in ('query', 'eql') else r.type
            return f'`{r.id}` **[{r.name}]({rules_dir_link + os.path.basename(r.path)})** (_{rule_type}_)'
@@ -2,7 +2,7 @@
 creation_date = "2020/09/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/22"
+updated_date = "2020/10/21"

 [rule]
 anomaly_threshold = 50
@@ -21,7 +21,7 @@ from = "now-45m"
 interval = "15m"
 license = "Elastic License"
 machine_learning_job_id = "linux_rare_metadata_process"
-name = "Unusual Process Calling the Metadata Service"
+name = "Unusual Linux Process Calling the Metadata Service"
 risk_score = 21
 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6"
 severity = "low"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -22,14 +22,14 @@ false_positives = [
    server that has no known associated FTP workflow or business requirement is often suspicious.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "FTP (File Transfer Protocol) Activity to the Internet"
 risk_score = 21
 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -21,14 +21,14 @@ false_positives = [
    and usually only appears in local traffic using private IPs, which does not match this rule's conditions.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "IRC (Internet Relay Chat) Protocol Activity to the Internet"
 risk_score = 47
 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -20,14 +20,14 @@ false_positives = [
    port in the range by coincidence. This is uncommon but such servers can be excluded.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "IPSEC NAT Traversal Port Activity"
 risk_score = 21
 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -17,7 +17,7 @@ false_positives = [
    expected behavior.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "SMTP on Port 26/TCP"
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -20,14 +20,14 @@ false_positives = [
    this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "TCP Port 8000 Activity to the Internet"
 risk_score = 21
 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -19,14 +19,14 @@ false_positives = [
    be excluded.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "PPTP (Point to Point Tunneling Protocol) Activity"
 risk_score = 21
 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -23,14 +23,14 @@ false_positives = [
    port in the range by coincidence. In this case, such servers can be excluded if desired.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Proxy Port Activity to the Internet"
 risk_score = 47
 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -22,14 +22,14 @@ false_positives = [
    not unexpected.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "RDP (Remote Desktop Protocol) from the Internet"
 risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -18,14 +18,14 @@ false_positives = [
    case, such devices or networks can be excluded from this rule if this is expected behavior.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "SMTP to the Internet"
 risk_score = 21
 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -19,14 +19,14 @@ false_positives = [
    database instances are accessed directly across the Internet.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "SQL Traffic to the Internet"
 risk_score = 47
 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -22,14 +22,14 @@ false_positives = [
    not unexpected.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "SSH (Secure Shell) from the Internet"
 risk_score = 47
 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -21,14 +21,14 @@ false_positives = [
    unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "SSH (Secure Shell) to the Internet"
 risk_score = 21
 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -21,14 +21,14 @@ false_positives = [
    server that has no known associated Telnet work-flow or business requirement is often suspicious.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Telnet Port Activity"
 risk_score = 47
 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -19,14 +19,14 @@ false_positives = [
    this case, such servers can be excluded if desired.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Tor Activity to the Internet"
 risk_score = 47
 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -20,14 +20,14 @@ false_positives = [
    that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "VNC (Virtual Network Computing) from the Internet"
 risk_score = 73
 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
 severity = "high"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -20,14 +20,14 @@ false_positives = [
    that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "VNC (Virtual Network Computing) to the Internet"
 risk_score = 47
 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
 severity = "medium"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -21,14 +21,14 @@ false_positives = [
    unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "RDP (Remote Desktop Protocol) to the Internet"
 risk_score = 21
 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5"
 severity = "low"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -12,14 +12,14 @@ system administrators to remotely control a system for maintenance or to use sha
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 back-door vector.
 """
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "RPC (Remote Procedure Call) from the Internet"
 risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -12,14 +12,14 @@ system administrators to remotely control a system for maintenance or to use sha
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 back-door vector.
 """
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "RPC (Remote Procedure Call) to the Internet"
 risk_score = 73
 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/02"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -12,14 +12,14 @@ the Internet. SMB is commonly used within networks to share files, printers, and
 systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
 threat actors as an initial access or back-door vector or for data exfiltration.
 """
-index = ["filebeat-*", "packetbeat-*"]
+index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "SMB (Windows File Sharing) Activity to the Internet"
 risk_score = 73
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "high"
-tags = ["Elastic", "Network"]
+tags = ["Elastic", "Host", "Network"]
 type = "query"

 query = '''
@@ -2,13 +2,13 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
 description = "Identifies possibly suspicious activity using trusted Windows developer activity."
 false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Trusted Developer Application Usage"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade
 defenses.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Potential Evasion via Filter Manager"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ false_positives = [
    tasklist to get information about running processes.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Process Discovery via Tasklist"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    frameworks. Usage by non-engineers and ordinary users is unusual.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Whoami Process Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/16"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    to spawn.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Unusual Child Process of dns.exe"
@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/16"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which
 may indicate activity related to remote code execution or other forms of exploitation.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Unusual File Modification by dns.exe"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
    to conceal malicious code.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Process Activity via Compiled HTML File"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Windows contains accessibility features that may be launched with a key combinat
 adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the
 system.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Potential Modification of Accessibility Binaries"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/30"
+updated_date = "2020/10/21"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ The Application Shim was created to allow for backward compatibility of software
 changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary
 code execution in legitimate Windows processes.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Potential Application Shimming via Sdbinst"
@@ -232,7 +232,7 @@ class TestRuleTags(unittest.TestCase):
            'endgame-*': {'all': ['Endpoint']},
            'logs-aws*': {'all': ['AWS']},
            'logs-endpoint.alerts-*': {'all': ['Endpoint']},
-            'logs-endpoint.events.*': {'any': ['Windows', 'macOS', 'Linux']},
+            'logs-endpoint.events.*': {'any': ['Windows', 'macOS', 'Linux', 'Host']},
            'logs-okta*': {'all': ['Okta']},
            'packetbeat-*': {'all': ['Network']},
            'winlogbeat-*': {'all': ['Windows']}