[Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584)

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2024-04-16 13:26:42 -03:00
parent 74312797bf
commit 5004ff115c
47 changed files with 94 additions and 94 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ network connections and bypass host-based firewall restrictions.
 """
 false_positives = ["Processes such as MS Office using IEproxy to render HTML content."]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Command and Control via Internet Explorer"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/30"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2023/12/07"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -67,7 +67,7 @@ providers = [
 author = ["Elastic"]
 description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination."
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network-*", "logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via PowerShell"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/29"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -39,7 +39,7 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei
 from a remote destination.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Script Interpreter"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -40,7 +40,7 @@ credential management. This technique is sometimes used for credential dumping.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via Trusted Developer Utility"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat
 often leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "InstallUtil Process Making Network Connections"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -41,7 +41,7 @@ masquerading attempt to evade suspicious child process behavior detections.
 """
 false_positives = ["Legit Application Crash with rare Werfault commandline value"]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Windows Error Manager Masquerading"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ validation. Adversaries may use these binaries to 'live off the land' and execut
 application allowlists and signature validation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via Signed Binary"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -38,7 +38,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad
 leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "MsBuild Making Network Connections"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve
 leveraged by adversaries to execute malicious scripts and evade detection.
 """
 from = "now-20m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mshta Making Network Connections"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial
 by adversaries to execute malicious scripts and evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via MsXsl"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ Identifies network activity from unexpected system applications. This may indica
 applications are often leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Network Activity from a Windows System Binary"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/26"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -40,7 +40,7 @@ of these files can occur during an intrusion, or as part of a post-intrusion pro
 footprint.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Termination followed by Deletion"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution
 libraries it may be indicative of an allowlist bypass.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious WMIC XSL Script Execution"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies unusual instances of dllhost.exe making outbound network connections.
 and Control activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Network Connection via DllHost"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies unusual instances of rundll32.exe making outbound network connections
 and Control activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Network Connection via RunDLL32"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies network activity from unexpected system applications. This may indica
 applications are often leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Process Network Connection"
@@ -2,7 +2,7 @@
 creation_date = "2023/01/12"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -13,7 +13,7 @@ Detects files creation and modification on the host system from the the Windows
 Adversaries may enable and use WSL for Linux to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Host Files System Changes via Windows Subsystem for Linux"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/31"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies processes loading Active Directory related modules followed by a netw
 Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Enumeration via Active Directory Web Service"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -44,7 +44,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Command Prompt Network Connection"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte
 program (hh.exe).
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via Compiled HTML File"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies an executable created by a Microsoft Office application and subsequen
 launched via scripts inside documents or during exploitation of Microsoft Office applications.
 """
 from = "now-120m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies a suspicious file that was written by a PDF reader application and su
 often launched via exploitation of PDF applications.
 """
 from = "now-120m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "PsExec Network Connection"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -44,7 +44,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via Registration Utility"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/26"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ within a short time period. This may indicate lateral movement or remote discove
 """
 false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Outbound Scheduled Task Activity via PowerShell"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of a browser process to open an HTML file with high ent
 data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious HTML File Creation"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/12"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ possibly those on disconnected or air-gapped networks, by copying malware to rem
 Autorun features when the media is inserted into a system and executes.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution from a Removable Media with Network Connection"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/12"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of the built-in Windows Installer, msiexec.exe, to inst
 msiexec.exe to launch local or network accessible MSI files.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote File Execution via MSIEXEC"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri
 via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Script Interpreter Executing Process via WMI"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/12"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM i
 This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote XSL Script Execution via COM"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T
 lateral movement but will be noisy if commonly done by admins.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Service Command Lateral Movement"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ launched via the HTA Application COM Object. This behavior may indicate an attac
 laterally while attempting to evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Incoming DCOM Lateral Movement via MSHTA"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ via the MMC20 Application COM Object. This behavior may indicate an attacker abu
 laterally.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Incoming DCOM Lateral Movement with MMC"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may
 application to stealthily move laterally.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/22"
+updated_date = "2024/04/08"

 [transform]
 [[transform.osquery]]
@@ -41,7 +41,7 @@ connections are established by the kernel. Processes making 445/tcp connections
 suspicious user-level processes moving laterally.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Direct Outbound SMB Connection"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ indicative of an active RDP shadowing session. An adversary may abuse the RDP Sh
 other users active RDP sessions.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Desktop Shadowing Activity"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation or change of a Windows executable file over network shar
 other files between systems in a compromised environment.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Lateral Tool Transfer via SMB Share"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/01/03"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -39,7 +39,7 @@ Identifies the execution of a file that was created by the virtual system proces
 via network file shares.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Execution via File Shares"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Incoming Execution via WinRM Remote Shell"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a
 adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "WMI Incoming Lateral Movement"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Incoming Execution via PowerShell Remoting"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies potential behavior of SharpRDP, which is a tool that can be used to p
 against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential SharpRDP Behavior"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/16"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -39,7 +39,7 @@ Identifies remote execution of Windows services over remote procedure call (RPC)
 movement, but will be noisy if commonly done by administrators.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remotely Started Services via RPC"
@@ -4,13 +4,13 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
 description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement."
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Scheduled Task Creation"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ an adversary to establish persistence.
 """
 false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Scheduled Task Created by a Windows Script"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2023/10/13"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -39,7 +39,7 @@ Identifies files written or modified in the startup folder by unsigned processes
 to maintain persistence in an environment.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Startup Folder Persistence via Unsigned Process"
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint"]
 maturity = "development"
-updated_date = "2023/06/22"
+updated_date = "2024/04/08"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ the local network or upstream DNS traffic can inject malicious JavaScript to the
 system compromise.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-endpoint.events.library-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "WPAD Service Exploit"