[Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388)

* added elastic security labs URL references * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Is not compatible with Windows blog. * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Is not compatible with Windows blog. Reverting updated date. * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Is not compatible with Windows blog. Reverting updated date. * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Is not compatible with Windows blog. * Update rules/ml/execution_ml_windows_anomalous_script.toml Is not compatible with Windows blog. Reverting updated date. * Update rules/linux/credential_access_collection_sensitive_files.toml Not compatible with Windows blog. Reverting updated date. * Update rules/linux/credential_access_collection_sensitive_files.toml Not compatible with Windows blog. * added credential access URL for mimikatz rules * updated version ml windows anomalous script rule * removed change to macOS rule since no blog correlation
2022-11-07 15:17:49 -05:00
parent fd1260c109
commit 4997f95300
64 changed files with 166 additions and 73 deletions
@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/11"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -62,6 +62,8 @@ references = [
    "https://www.lunasec.io/docs/blog/log4j-zero-day/",
    "https://github.com/christophetd/log4shell-vulnerable-app",
    "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
+    "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
+    "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"
 ]
 risk_score = 47
 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
@@ -3,7 +3,7 @@ creation_date = "2021/12/10"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,8 @@ references = [
 "https://www.lunasec.io/docs/blog/log4j-zero-day/",
 "https://github.com/christophetd/log4shell-vulnerable-app",
 "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
+"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
+"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"
 ]
 risk_score = 73
 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
@@ -3,7 +3,7 @@ creation_date = "2020/08/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "azure"

 [rule]
@@ -31,6 +31,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re
 references = [
    "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
    "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 47
 rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -22,6 +22,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 73
 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0"
@@ -3,7 +3,7 @@ creation_date = "2020/08/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -24,6 +24,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49"
@@ -3,7 +3,7 @@ creation_date = "2022/01/05"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -20,7 +20,9 @@ name = "Potential Abuse of Repeated MFA Push Notifications"
 note = """## Setup

 The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://www.mandiant.com/resources/russian-targeting-gov-business"]
+references = [
+  "https://www.mandiant.com/resources/russian-targeting-gov-business",
+  "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"]
 risk_score = 73
 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
 severity = "high"
@@ -3,7 +3,7 @@ creation_date = "2020/07/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
@@ -3,7 +3,7 @@ creation_date = "2022/03/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -23,7 +23,8 @@ note = """## Setup

 The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
-    "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/"
+    "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 73
 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911"
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -30,6 +30,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1"
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -30,6 +30,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -30,6 +30,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
@@ -3,7 +3,7 @@ creation_date = "2020/05/28"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -30,6 +30,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9"
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -30,6 +30,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19"
@@ -3,7 +3,7 @@ creation_date = "2020/08/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -31,6 +31,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -28,6 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7"
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a"
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -28,6 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f"
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -22,6 +22,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68"
@@ -3,7 +3,7 @@ creation_date = "2021/05/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -16,6 +16,11 @@ name = "Unauthorized Access to an Okta Application"
 note = """## Setup

 The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
+]
 risk_score = 21
 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613"
 severity = "low"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -23,6 +23,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -23,6 +23,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -30,6 +30,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "b8075894-0b62-46e5-977c-31275da34419"
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -30,6 +30,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5"
@@ -3,7 +3,7 @@ creation_date = "2020/05/20"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -28,6 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
 references = [
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 21
 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181"
@@ -3,7 +3,7 @@ creation_date = "2020/07/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 integration = "okta"

 [rule]
@@ -29,6 +29,7 @@ references = [
    "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm",
    "https://developer.okta.com/docs/reference/api/system-log/",
    "https://developer.okta.com/docs/reference/api/event-types/",
+    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"
 ]
 risk_score = 47
 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
@@ -3,7 +3,7 @@ creation_date = "2022/05/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/11"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -81,6 +81,7 @@ references = [
    "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
    "https://twitter.com/GossiTheDog/status/1522964028284411907",
    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
+    "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"
 ]
 risk_score = 47
 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
@@ -3,7 +3,7 @@ creation_date = "2022/05/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -35,6 +35,7 @@ references = [
    "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
    "https://twitter.com/GossiTheDog/status/1522964028284411907",
    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
+    "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"
 ]
 risk_score = 73
 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce"
@@ -3,7 +3,7 @@ creation_date = "2022/05/10"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ name = "Binary Executed from Shared Memory Directory"
 references = [
    "https://linuxsecurity.com/features/fileless-malware-on-linux",
    "https://twitter.com/GossiTheDog/status/1522964028284411907",
+    "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"
 ]
 risk_score = 73
 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce"
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/11"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -71,7 +71,9 @@ malware components.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
 mean time to respond (MTTR).
 """
-references = ["https://pentestlab.blog/tag/web-shell/"]
+references = [
+  "https://pentestlab.blog/tag/web-shell/",
+  "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"]
 risk_score = 47
 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
 severity = "medium"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -23,7 +23,9 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = ["v3_windows_anomalous_script"]
 name = "Suspicious Powershell Script"
-references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"]
 risk_score = 21
 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6"
 severity = "low"
@@ -3,7 +3,7 @@ creation_date = "2020/07/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -29,6 +29,7 @@ This activity has been observed in FIN7 campaigns."""
 references = [
    "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
    "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+    "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"
 ]
 risk_score = 73
 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
@@ -3,7 +3,7 @@ creation_date = "2020/10/05"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ references = [
    "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
    "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
    "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html",
+    "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"
 ]
 risk_score = 99
 rule_id = "e7075e8d-a966-458e-a183-85cd331af255"
@@ -3,7 +3,7 @@ creation_date = "2020/11/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -24,6 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 references = [
    "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
    "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 73
 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f"
@@ -3,7 +3,7 @@ creation_date = "2020/11/23"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -67,6 +67,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 """
 references = [
    "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 73
 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8"
@@ -3,7 +3,7 @@ creation_date = "2022/02/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -102,7 +102,8 @@ references = [
    "https://twitter.com/jsecurity101/status/1227987828534956033?s=20",
    "https://attack.mitre.org/techniques/T1003/001/",
    "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html",
-    "http://findingbad.blogspot.com/2017/"
+    "http://findingbad.blogspot.com/2017/",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 73
 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de"
@@ -3,7 +3,7 @@ creation_date = "2020/08/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -70,6 +70,9 @@ mean time to respond (MTTR).

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
+references = [
+  "https://www.elastic.co/security-labs/detect-credential-access"
+]
 risk_score = 73
 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6"
 severity = "high"
@@ -3,7 +3,7 @@ creation_date = "2020/12/07"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -99,6 +99,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo
 references = [
  "https://attack.mitre.org/software/S0002/",
  "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1",
+  "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 73
 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46"
@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ references = [
    "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
    "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019",
    "https://frsecure.com/compromised-credentials-response-playbook",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 73
 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5"
@@ -3,7 +3,7 @@ creation_date = "2022/02/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/26"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -61,6 +61,9 @@ malware components.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
 mean time to respond (MTTR).
 """
+references = [
+    "https://www.elastic.co/security-labs/detect-credential-access"
+]
 risk_score = 47
 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494"
 severity = "medium"
@@ -3,7 +3,7 @@ creation_date = "2022/03/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/26"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -68,7 +68,9 @@ collected from the host for this detection to work.

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
-references = ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"]
+references = [
+  "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py",
+  "https://www.elastic.co/security-labs/detect-credential-access"]
 risk_score = 73
 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8"
 severity = "high"
@@ -3,7 +3,7 @@ creation_date = "2022/08/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/30"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,9 @@ note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
-references = ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",]
+references = [
+  "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",
+  "https://www.elastic.co/security-labs/detect-credential-access"]
 risk_score = 47
 rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
 severity = "medium"
@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/27"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 references = [
    "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
    "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 47
 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
@@ -3,7 +3,7 @@ creation_date = "2021/10/07"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 """
 references = [
    "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 73
 rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
@@ -3,7 +3,7 @@ creation_date = "2022/02/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -89,6 +89,7 @@ Special Logon (Success)
 references = [
    "https://github.com/mpgn/BackupOperatorToDA",
    "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 47
 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
@@ -3,7 +3,7 @@ creation_date = "2021/10/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -86,6 +86,7 @@ references = [
    "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1",
    "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1",
    "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 73
 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d"
@@ -3,7 +3,7 @@ creation_date = "2020/12/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -56,6 +56,9 @@ malware components.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
 mean time to respond (MTTR).
 """
+references = [
+    "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"
+]
 risk_score = 47
 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c"
 severity = "medium"
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -79,6 +79,9 @@ mean time to respond (MTTR).

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
+references = [
+    "https://www.elastic.co/blog/vulnerability-summary-follina"
+]
 risk_score = 47
 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
 severity = "medium"
@@ -3,7 +3,7 @@ creation_date = "2020/07/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -81,6 +81,7 @@ references = [
    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
    "https://github.com/maxpl0it/CVE-2020-1350-DoS",
+    "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"
 ]
 risk_score = 73
 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45"
@@ -3,7 +3,7 @@ creation_date = "2020/07/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -30,6 +30,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 references = [
    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+    "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"
 ]
 risk_score = 73
 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
@@ -3,7 +3,7 @@ creation_date = "2020/07/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -68,6 +68,7 @@ references = [
    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
    "https://github.com/maxpl0it/CVE-2020-1350-DoS",
+    "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"
 ]
 risk_score = 47
 rule_id = "11013227-0301-4a8c-b150-4db924484475"
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -17,6 +17,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Local Scheduled Task Creation"
+references = [
+  "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1",
+  "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2"
+  ]
 risk_score = 21
 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a"
 severity = "low"
@@ -3,7 +3,7 @@ creation_date = "2021/10/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/26"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ references = [
    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
    "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx",
+    "https://www.elastic.co/security-labs/detect-credential-access"
 ]
 risk_score = 47
 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450"
@@ -3,7 +3,7 @@ creation_date = "2020/11/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -77,6 +77,9 @@ mean time to respond (MTTR).

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
+references = [
+  "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"
+]
 risk_score = 47
 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde"
 severity = "medium"
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,9 @@ note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
+references= [
+  "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"
+]
 risk_score = 21
 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c"
 severity = "low"
@@ -3,7 +3,7 @@ creation_date = "2021/03/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,9 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Persistence via WMI Standard Registry Provider"
-references = ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"]
+references = [
+    "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov",
+    "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"]
 risk_score = 73
 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6"
 severity = "high"
@@ -3,7 +3,7 @@ creation_date = "2021/08/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/11"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -79,6 +79,8 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 """
 references = [
    "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/",
+    "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
+    "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"
 ]
 risk_score = 73
 rule_id = "2917d495-59bd-4250-b395-c29409b76086"
@@ -3,7 +3,7 @@ creation_date = "2020/10/27"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/07"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,9 @@ note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
-references = ["https://github.com/hfiref0x/UACME"]
+references = [
+  "https://github.com/hfiref0x/UACME",
+  "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"]
 risk_score = 73
 rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3"
 severity = "high"