[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)

* add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-03-05 09:41:19 -09:00
parent a71620a99b
commit 59da2da474
450 changed files with 1038 additions and 998 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -45,9 +45,9 @@ type = "eql"

 query = '''
 sequence by process.entity_id with maxspan=1m
-[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
+[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
-[process where event.action == "session_id_change" and user.id == "0" and
+[process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and
    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/19"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)
+event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and
 process.args : "-s" and process.args : "-d" and process.args : "rssocks"
 '''

@@ -4,7 +4,7 @@ integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/01"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -54,10 +54,10 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
 type = "eql"
 query = '''
 sequence by host.id, source.ip, user.name with maxspan=3s
-  [authentication where event.action  in ("ssh_login", "user_login") and
+  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=2

-  [authentication where event.action  in ("ssh_login", "user_login") and
+  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
   event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ]
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:start and
+event.category:process and host.os.type:linux and event.type:start and
  process.name:(zip or tar or gzip or hdiutil or 7z) and
  process.args:
    (
@@ -31,7 +31,7 @@ tags = ["Elastic", "Elastic Endgame", "Host", "Linux", "Threat Detection", "Cred
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where process.name == "unshadow" and
+process where host.os.type == "linux" and process.name == "unshadow" and
  event.type == "start" and event.action == "exec" and process.args_count >= 2
 '''

@@ -4,7 +4,7 @@ integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/01"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
 type = "eql"
 query = '''
 sequence by host.id, source.ip, user.name with maxspan=10s
-  [authentication where event.action  in ("ssh_login", "user_login") and
+  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10
 '''

@@ -4,7 +4,7 @@ integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/01"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Cre
 type = "eql"
 query = '''
 sequence by host.id, source.ip with maxspan=10s
-  [authentication where event.action  in ("ssh_login", "user_login") and
+  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and
   source.ip != "::" and  user.name in ("*root*" , "*admin*")] with runs=3
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
+file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
  (
    (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or
    file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or
@@ -24,7 +24,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.type == "start" and event.action == "exec" and
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 (
   /* disable FW */
   (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
  ((process.name:service and process.args:stop) or
     (process.name:chkconfig and process.args:off) or
     (process.name:systemctl and process.args:(disable or stop or kill)))
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
  process.name:(base16 or base32 or base32plain or base32hex)
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,9 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not process.parent.executable: "/lib/systemd/systemd"
+process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
+  process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
+  not process.parent.executable: "/lib/systemd/systemd"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0
+event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and process.name:shred and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and
  process.args:("-u" or "--remove" or "-z" or "--zero")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
  process.name:(chmod or chown or chattr or chgrp) and
  process.working_directory:(/tmp or /var/tmp or /dev/shm) and
  not user.name:root
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "linux" and event.type in ("start", "process_started") and
  process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
  process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
  not process.name in ("ls", "find", "grep")
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type : "creation" and file.extension == "so" and file.name : ".*.so"
+file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
  process.args:((rmmod and sudo) or (modprobe and sudo and ("--remove" or "-r")))
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type == "deletion" and
+file where host.os.type == "linux" and event.type == "deletion" and
  file.path :
    (
    "/var/run/utmp",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
  process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)
+event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and process.name:nping
+event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
  process.args:("/sys/class/dmi/id/bios_version" or
                "/sys/class/dmi/id/product_name" or
                "/sys/class/dmi/id/chassis_vendor" or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -80,7 +80,7 @@ type = "eql"

 query = '''
 /* add file size filters when data is available */
-file where event.type == "creation" and user.id == "0" and
+file where host.os.type == "linux" and event.type == "creation" and user.id == "0" and
    file.path regex~ """/var/run/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and

    /* handle common legitimate files */
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/19"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -79,7 +79,7 @@ type = "eql"

 query = '''
 sequence by process.entity_id
-  [process where event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and
      process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and (
          /* bind shell to echo for command execution */
          (process.args:("-l","-p") and process.args:("-c","echo","$*"))
@@ -92,7 +92,7 @@ sequence by process.entity_id
          /* file transfer via pipe */
          or (process.args:("|") and process.args:("nc","ncat"))
      )]
-  [network where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
+  [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
                  process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and process.name:perl and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and
  process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -46,7 +46,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and user.id == "0" and process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)"""
+process where host.os.type == "linux" and event.type == "start" and user.id == "0" and
+  process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)"""
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -38,7 +38,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and
    event.action : ("exec", "exec_event") and user.name == "root" and
    process.executable : (
        "/dev/shm/*",
@@ -2,7 +2,7 @@
 creation_date = "2020/04/15"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
  process.name:python* and
  process.args:("import pty; pty.spawn(\"/bin/sh\")" or
                "import pty; pty.spawn(\"/bin/dash\")" or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -39,10 +39,10 @@ type = "eql"

 query = '''
 sequence by host.id with maxspan = 5s
-    [process where event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")]
-    [process where process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or
+    [process where host.os.type == "linux" and event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")]
+    [process where host.os.type == "linux" and process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or
        (process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))]
-    [process where (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
+    [process where host.os.type == "linux" and (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
                    (process.name: "openssl" and process.executable: "/usr/bin/openssl"))]
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/19"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -102,7 +102,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and
  (
    /* launch shells from unusual process */
    (process.name == "capsh" and process.args == "--") or
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"
 integration = ["endpoint"]

 [rule]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd"
+process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation
 type = "threshold"

 query = '''
-event.category:process and event.type:start and process.name:"pkill" and process.args:"-f"
+event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -34,8 +34,8 @@ type = "eql"

 query = '''
 sequence by process.entity_id
-  [process where process.name == "telnet" and event.type == "start"]
-  [network where process.name == "telnet" and
+  [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
+  [network where host.os.type == "linux" and process.name == "telnet" and
    not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
                                  "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
                                  "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -34,8 +34,8 @@ type = "eql"

 query = '''
 sequence by process.entity_id
-  [process where process.name == "telnet" and event.type == "start"]
-  [network where process.name == "telnet" and
+  [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
+  [network where host.os.type == "linux" and process.name == "telnet" and
    cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
                              "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
                              "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/19"
+updated_date = "2023/02/22"
 integration = ["endpoint"]

 [rule]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and
 ( 
  (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or
  (process.args : "*chkconfig" and process.args : "--add")
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/27"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:file and event.type:change and
+event.category:file and host.os.type:linux and event.type:change and
 process.name:* and
 (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and
 not process.name:("dpkg" or "yum" or "dnf" or "dnf-automatic")
@@ -3,7 +3,7 @@ creation_date = "2022/07/12"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2023/02/22"
 integration = ["endpoint"]

 [rule]
@@ -27,8 +27,9 @@ type = "eql"

 query = '''
 sequence by process.entity_id with maxspan=1m
-[process where event.type == "start" and process.name : ("cp", "rsync") and process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")]
-[file where event.action == "creation" and file.extension == "so"]
+[process where host.os.type == "linux" and event.type == "start" and process.name : ("cp", "rsync") and
+   process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")]
+[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"]
 '''

 [[rule.threat]]
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"
 integration = ["endpoint"]

 [rule]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type == "creation" and user.name == "root" and
+file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and
 file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*")
 and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic",
 "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system")
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"
 integration = ["endpoint"]

 [rule]
@@ -27,7 +27,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.executable : "/usr/sbin/insmod" and process.args : "*.ko"
+process where host.os.type == "linux" and event.type == "start" and
+  process.executable : "/usr/sbin/insmod" and process.args : "*.ko"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type != "deletion" and
+file where host.os.type == "linux" and event.type != "deletion" and
  file.extension in ("sh", "desktop") and
  file.path :
    (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:linux and event.type:(start or process_started) and
 process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and
 process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data")
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload
+event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where file.path : "/*GCONV_PATH*"
+file where host.os.type == "linux" and file.path : "/*GCONV_PATH*"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/23"
+updated_date = "2023/03/01"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and event.action == "exec" and user.name == "root"
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root"
  and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow"))
  and not process.executable:
    ("/usr/bin/tar",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and event.action : ("exec", "exec_event") and
+process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and
 process.executable: "/usr/bin/unshare" and
 not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and
 not process.args : "/usr/bin/snap"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
  process.args :
    (
      "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
  process.args :
    (
      "/Users/*/Library/Keychains/*",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:start and
+event.category:process and host.os.type:macos and event.type:start and
 process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or "-dump")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d"
+process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
  process.name:kcc and
  process.args:copy_cred_cache
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and
+process where host.os.type == "macos" and event.type == "start" and
 process.name : "security" and process.args : "-wa" and process.args : ("find-generic-password", "find-internet-password") and
 process.args : ("Chrome*", "Chromium", "Opera", "Safari*", "Brave", "Microsoft Edge", "Edge", "Firefox*") and
 not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category : process and event.type : start and
+event.category:process and host.os.type:macos and event.type:start and
 process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and
 not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or
                                  "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
 type = "threshold"

 query = '''
-event.category:process and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd
+event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name : "osascript" and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and
 process.command_line : "osascript*display dialog*password*"
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
  process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
 process.name:defaults and
 process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
  process.name : "xattr" and
  (
    (process.args : "com.apple.quarantine" and process.args : ("-d", "-w")) or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
  process.args:(spctl and "--master-disable")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
  process.name:security and process.args:"add-trusted-cert" and
  not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp"
 )
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:start and
+event.category:process and host.os.type:macos and event.type:start and
  process.name:launchctl and
  process.args:(setenv and not (JAVA*_HOME or
                                RUNTIME_JAVA_HOME or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name : "sqlite*" and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and
 process.args : "/*/Application Support/com.apple.TCC/TCC.db" and
 not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*"
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
 process.name:"scp" and
 process.args:"StrictHostKeyChecking=no" and
 process.command_line:("scp *localhost:/*", "scp *127.0.0.1:/*") and
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:start and
+event.category:process and host.os.type:macos and event.type:start and
  process.name:defaults and process.args:
    (com.apple.Safari and write and not
      (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos
+event.category:file and host.os.type:macos and not event.type:deletion and file.name:~$*.zip and host.os.type:macos
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,8 +27,8 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category : process and event.type : (start or process_started) and process.name : mount_apfs and
-  process.args : (/System/Volumes/Data and noowners)
+event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and
+  process.args:(/System/Volumes/Data and noowners)
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
 process.name:kextunload and process.args:("/System/Library/Extensions/EndpointSecurity.kext" or "EndpointSecurity.kext")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/18"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
  (
    process.name : ("ldapsearch", "dsmemberutil") or
    (process.name : "dscl" and
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*)
+event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*)
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
  process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and
  process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and
  process.command_line != null and
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -39,8 +39,8 @@ type = "eql"

 query = '''
 sequence by host.id, user.id with maxspan=30s
-[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")]
-[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")]
+[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")]
+[network where host.os.type == "macos" and event.type == "start" and process.name : ("curl", "osascript", "wget", "python")]
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,8 +27,8 @@ type = "eql"

 query = '''
 sequence by host.id with maxspan=30s
- [process where event.type in ("start", "process_started") and process.name == "automator"]
- [network where process.name:"com.apple.automator.runner"]
+ [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "automator"]
+ [network where host.os.type == "macos" and process.name:"com.apple.automator.runner"]
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,8 +29,8 @@ type = "eql"

 query = '''
 sequence by host.id, process.entity_id with maxspan=30s
- [process where event.type == "start" and process.name == "osascript"]
- [network where event.type != "end" and process.name == "osascript" and destination.ip != "::1" and
+ [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"]
+ [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and
  not cidrmatch(destination.ip,
    "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
    "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,8 +29,8 @@ type = "eql"

 query = '''
 sequence by host.id with maxspan=5s
- [process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
- [process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
+ [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
+ [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
 process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and
 process.name:
 (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:start and
+event.category:process and host.os.type:macos and event.type:start and
 process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab))))
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
  (
    process.name : "mount_smbfs" or
    (process.name : "open" and process.args : "smb://*") or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
 process.name:systemsetup and
 process.args:("-setremotelogin" and on) and
 not process.parent.executable : /usr/local/jamf/bin/jamf
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
  (
    (process.name : "networksetup" and process.args : "-connectpppoeservice") or
    (process.name : "scutil" and process.args : "--nc" and process.args : "start") or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
 process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,10 +29,10 @@ type = "eql"

 query = '''
 sequence by host.id with maxspan=1m
- [file where event.type != "deletion" and
+ [file where host.os.type == "macos" and event.type != "deletion" and
  file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*")
 ]
- [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]
+ [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name : "osascript" and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and
 process.command_line : "osascript*login item*hidden:true*"
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,8 +29,8 @@ type = "eql"

 query = '''
 sequence by host.id with maxspan=1m
- [file where event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")]
- [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]
+ [file where host.os.type == "macos" and event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")]
+ [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:file and not event.type:deletion and
+event.category:file and host.os.type:macos and not event.type:deletion and
  file.path:(/Library/Security/SecurityAgentPlugins/* and
  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and
  not process.name:shove and process.code_signature.trusted:true
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type != "deletion" and process.name != null and
+file where host.os.type == "macos" and event.type != "deletion" and process.name != null and
  file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab"
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
 process.name:.* and process.parent.executable:/sbin/launchd
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:file and not event.type:deletion and
+event.category:file and host.os.type:macos and not event.type:deletion and
  file.path:/Library/DirectoryServices/PlugIns/*.dsplug
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -28,9 +28,9 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category : file and event.action : modification and
- file.path : /Users/*/Library/Preferences/com.apple.dock.plist and
- not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)
+event.category:file and host.os.type:macos and event.action:modification and
+ file.path:/Users/*/Library/Preferences/com.apple.dock.plist and
+ not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type != "deletion" and
+file where host.os.type == "macos" and event.type != "deletion" and
 file.path : ("/private/etc/emond.d/rules/*.plist", "/etc/emon.d/rules/*.plist", "/private/var/db/emondClients/*")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
 process.parent.name : "emond" and
 process.name : (
   "bash",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and event.type:(start or process_started) and
+event.category:process and host.os.type:macos and event.type:(start or process_started) and
 process.name:dsenableroot and not process.args:"-d"
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type != "deletion" and
+file where host.os.type == "macos" and event.type != "deletion" and
  file.path :
  (
    "/System/Library/LaunchAgents/.*.plist",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name : "pluginkit" and
+process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and
  process.args : "-e" and process.args : "use" and process.args : "-i" and
  not process.args :
  (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -27,8 +27,8 @@ type = "eql"

 query = '''
 sequence by host.id with maxspan=5s
- [process where event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid
- [process where event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and
+ [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid
+ [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and
  not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt"
 ] by process.parent.pid
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -33,8 +33,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and
- process.name == "defaults" and process.args == "write" and process.args in ("LoginHook", "LogoutHook") and
+process where host.os.type == "macos" and event.type == "start" and
+ process.name == "defaults" and process.args == "write" and process.args : ("LoginHook", "LogoutHook") and
 not process.args :
       (
         "Support/JAMF/ManagementFrameworkScripts/logouthook.sh",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:"file" and not event.type:"deletion" and
+event.category:file and host.os.type:macos and not event.type:"deletion" and
 file.name:"com.apple.loginwindow.plist" and
 process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor"
 ))
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type in ("change", "creation") and file.extension : "py" and
+file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and
  file.path :
    (
      "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py",
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:"file" and not event.type:"deletion" and
+event.category:file and host.os.type:macos and not event.type:"deletion" and
 file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/22"

 [rule]
 author = ["Elastic"]
@@ -43,7 +43,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.parent.name == "ScreenSaverEngine"
+process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine"
 '''


--- a/Show More
+++ b/Show More