From 341499a2bc18cb5e0da7d54cd955f63cddeea0ab Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 19 Dec 2023 20:59:48 +0000
Subject: [PATCH] [Deprecate] Potential Process Herpaderping Attempt (#3336)

* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* ++

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 ...fense_evasion_potential_processherpaderping.toml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
 rename rules/{windows => _deprecated}/defense_evasion_potential_processherpaderping.toml (87%)

diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/_deprecated/defense_evasion_potential_processherpaderping.toml
similarity index 87%
rename from rules/windows/defense_evasion_potential_processherpaderping.toml
rename to rules/_deprecated/defense_evasion_potential_processherpaderping.toml
index 025a5e6de..d65e12257 100644
--- a/rules/windows/defense_evasion_potential_processherpaderping.toml
+++ b/rules/_deprecated/defense_evasion_potential_processherpaderping.toml
@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2020/10/27"
+deprecation_date = "2023/12/15"
 integration = ["endpoint", "windows"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/12/15"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +22,13 @@ references = ["https://github.com/jxy-s/herpaderping"]
 risk_score = 73
 rule_id = "ccc55af4-9882-4c67-87b4-449a7ae8079c"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+]
 type = "eql"
 
 query = '''