Expand timestamp override tests (#1907)

* Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
parent 648daf1237
commit 6bdfddac8e
233 changed files with 1695 additions and 731 deletions
@@ -294,10 +294,15 @@ class EQLRuleData(QueryRuleData):
        else:
            return self.convert_time_span(lookback)

+    @cached_property
+    def is_sequence(self) -> bool:
+        """Checks if the current rule is a sequence-based rule."""
+        return eql.utils.get_query_type(self.ast) == 'sequence'
+
    @cached_property
    def max_span(self) -> Optional[int]:
        """Maxspan value for sequence rules if defined."""
-        if eql.utils.get_query_type(self.ast) == 'sequence' and hasattr(self.ast.first, 'max_span'):
+        if self.is_sequence and hasattr(self.ast.first, 'max_span'):
            return self.ast.first.max_span.as_milliseconds() if self.ast.first.max_span else None

    @cached_property
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -17,6 +17,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Potential Cookies Theft via Browser Debugging"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://github.com/defaultnamehere/cookie_crimes",
    "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/03"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.
 language = "eql"
 license = "Elastic License v2"
 name = "WebServer Access Logs Deleted"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac"
 severity = "medium"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/03"
 maturity = "production"
-updated_date = "2021/03/09"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Timestomping using Touch Command"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6"
 severity = "medium"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/20"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["logs-endpoint.events.*", "auditbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Security Software Discovery via Grep"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
 severity = "medium"
@@ -78,3 +82,4 @@ reference = "https://attack.mitre.org/techniques/T1518/001/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/09/29"
 maturity = "production"
-updated_date = "2021/09/29"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Virtual Machine Fingerprinting via Grep"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://objective-see.com/blog/blog_0x4F.html"]
 risk_score = 47
 rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
@@ -49,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1082/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "development"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Python Script Execution via Command Line"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae"
 severity = "medium"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Reverse Shell Activity via Terminal"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
    "https://github.com/WangYihang/Reverse-Shell-Manager",
@@ -1,23 +1,27 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/12/10"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious
-JAR file or an exploitation attempt via a JAVA specific vulnerability.
+Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a
+malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious JAVA Child Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
-"https://www.lunasec.io/docs/blog/log4j-zero-day/",
-"https://github.com/christophetd/log4shell-vulnerable-app",
-"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
+    "https://www.lunasec.io/docs/blog/log4j-zero-day/",
+    "https://github.com/christophetd/log4shell-vulnerable-app",
+    "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
 ]
 risk_score = 47
 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/12/10"
 maturity = "production"
-updated_date = "2021/12/10"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,6 @@ risk_score = 73
 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
-timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -20,7 +20,10 @@ license = "Elastic License v2"
 name = "Hosts File Modified"
 note = """## Config

-For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml."""
+For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"]
 risk_score = 47
 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/05"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"
 integration = "okta"

 [rule]
@@ -23,7 +23,6 @@ risk_score = 73
 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
 severity = "high"
 tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"]
-timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,22 +1,27 @@
 [metadata]
 creation_date = "2021/04/12"
 maturity = "production"
-updated_date = "2021/04/12"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
 description = """
 Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim
-system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.
+system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable
+systems.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Protocol Tunneling via EarthWorm"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "http://rootkiter.com/EarthWorm/",
-    "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
+    "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
 ]
 risk_score = 47
 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769"
@@ -38,7 +43,9 @@ id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"

+
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential OpenSSH Backdoor Logging Activity"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://github.com/eset/malware-ioc/tree/master/sshdoor",
    "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Tampering of Bash Command-Line History"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
 severity = "medium"
@@ -1,9 +1,9 @@
 [metadata]
 creation_date = "2020/04/29"
 maturity = "production"
-updated_date = "2021/03/03"
 min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Creation of Hidden Files and Directories"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
 severity = "medium"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/03"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "System Log File Deletion"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/24"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -26,8 +26,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name == "sensible-pager" and 
-  process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash") and 
+process where event.type == "start" and process.name == "sensible-pager" and
+  process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash") and
  process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog"
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/24"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name in ("sh", "bash", "dash") and 
+process where event.type == "start" and process.name in ("sh", "bash", "dash") and
  process.parent.name in ("nawk", "mawk", "awk", "gawk") and process.parent.args : "BEGIN {system(*)}"
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/15"
 maturity = "production"
-updated_date = "2022/03/24"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1059/004/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/17"
 maturity = "production"
-updated_date = "2022/03/24"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -26,9 +26,9 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name in ("bash", "sh", "dash") and 
-  process.parent.name == "cpulimit" and process.parent.args == "-f" and 
-  process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash") 
+process where event.type == "start" and process.name in ("bash", "sh", "dash") and
+  process.parent.name == "cpulimit" and process.parent.args == "-f" and
+  process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash")
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/21"
 maturity = "production"
-updated_date = "2022/03/24"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/07"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -25,9 +25,9 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name in ("bash", "sh", "dash") and 
-  process.parent.name == "expect" and process.parent.args == "-c" and 
-  process.parent.args in ("spawn /bin/sh;interact", "spawn /bin/bash;interact", "spawn /bin/dash;interact", "spawn sh;interact", "spawn bash;interact", "spawn dash;interact") 
+process where event.type == "start" and process.name in ("bash", "sh", "dash") and
+  process.parent.name == "expect" and process.parent.args == "-c" and
+  process.parent.args in ("spawn /bin/sh;interact", "spawn /bin/bash;interact", "spawn /bin/dash;interact", "spawn sh;interact", "spawn bash;interact", "spawn dash;interact")
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/28"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -25,8 +25,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name in ("bash", "sh") and 
-  process.parent.name == "find" and process.parent.args == "-exec" and 
+process where event.type == "start" and process.name in ("bash", "sh") and
+  process.parent.name == "find" and process.parent.args == "-exec" and
  process.parent.args == ";" and process.parent.args in ("/bin/bash", "/bin/sh", "bash", "sh")
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/09"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -25,8 +25,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name in ("sh", "dash", "bash")  and 
-  process.parent.name == "gcc" and process.parent.args == "-wrapper" and 
+process where event.type == "start" and process.name in ("sh", "dash", "bash")  and
+  process.parent.name == "gcc" and process.parent.args == "-wrapper" and
  process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s")
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/09"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -25,9 +25,9 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name in ("bash", "sh", "dash") and 
-  process.parent.name == "mysql" and process.parent.args == "-e" and 
-  process.parent.args : ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash") 
+process where event.type == "start" and process.name in ("bash", "sh", "dash") and
+  process.parent.name == "mysql" and process.parent.args == "-e" and
+  process.parent.args : ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/07"
 maturity = "development"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name in ("bash", "sh", "dash") and 
+process where event.type == "start" and process.name in ("bash", "sh", "dash") and
  process.parent.name == "nice" and process.parent.args in ("/bin/bash", "/bin/sh", "/bin/dash", "sh", "bash", "dash")
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/10"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -25,8 +25,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and process.name : ("bash", "sh", "dash") and 
-  process.parent.name == "ssh" and process.parent.args == "-o" and 
+process where event.type == "start" and process.name : ("bash", "sh", "dash") and
+  process.parent.name == "ssh" and process.parent.args == "-o" and
  process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/06"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Persistence via KDE AutoStart Script or Desktop File Modification"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://userbase.kde.org/System_Settings/Autostart",
    "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Access of Stored Browser Credentials"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://securelist.com/calisto-trojan-for-macos/86543/"]
 risk_score = 73
 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Access to Keychain Credentials Directories"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://objective-see.com/blog/blog_0x25.html",
    "https://securelist.com/calisto-trojan-for-macos/86543/",
@@ -68,3 +72,4 @@ reference = "https://attack.mitre.org/techniques/T1555/001/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Dumping of Keychain Content via Security Command"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://ss64.com/osx/security.html"]
 risk_score = 73
 rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/06"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Keychain Password Retrieval via Command Line"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.netmeister.org/blog/keychain-passwords.html",
    "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py",
@@ -48,6 +52,7 @@ id = "T1555.001"
 name = "Keychain"
 reference = "https://attack.mitre.org/techniques/T1555/001/"

+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
@@ -58,7 +63,9 @@ name = "Credentials from Web Browsers"
 reference = "https://attack.mitre.org/techniques/T1555/003/"


+
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/16"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Prompt for Credentials with OSASCRIPT"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
    "https://ss64.com/osx/osascript.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Attempt to Remove File Quarantine Attribute"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
    "https://ss64.com/osx/xattr.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2021/08/25"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via TCCDB Modification"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/11"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via Localhost Secure Copy"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/12"
 maturity = "production"
-updated_date = "2022/03/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Users or Groups via Built-in Commands"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff"
 severity = "low"
@@ -51,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1087/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/02/23"
 maturity = "production"
-updated_date = "2021/08/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,6 @@ risk_score = 47
 rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]
-timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/25"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Attempt to Mount SMB Share via Command Line"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"]
 risk_score = 21
 rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/25"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Virtual Private Network Connection Attempt"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb",
    "https://www.unix.com/man-page/osx/8/networksetup/",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation of Hidden Login Item via Apple Script"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7"
 severity = "medium"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/11"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Emond Rules Creation or Modification"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://www.xorrior.com/emond-persistence/"]
 risk_score = 47
 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation of Hidden Launch Agent or Daemon"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2021/03/09"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Persistence via Login or Logout Hook"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf",
    "https://www.manpagez.com/man/1/defaults/",
@@ -50,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1037/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Sublime Plugin or Application Script Modification"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"]
 risk_score = 21
 rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2021/10/05"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,11 @@ note = """## Triage and analysis
 as a download of a payload from a server.
 - Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to
 identify whether the file is malicious or not.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
    "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
@@ -42,9 +47,9 @@ process where event.type == "start" and process.parent.name == "ScreenSaverEngin
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1546/"
-name = "Event Triggered Execution"
 id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"


 [rule.threat.tactic]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2021/10/05"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,12 @@ note = """## Triage and analysis

 - Analyze the plist file modification event to identify whether the change was expected or not
 - Investigate the process that modified the plist file for malicious code or other suspicious behavior
- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host"""
+- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
    "https://github.com/D00MFist/PersistentJXA",
@@ -52,9 +57,9 @@ file where event.type != "deletion" and
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1546/"
-name = "Event Triggered Execution"
 id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"


 [rule.threat.tactic]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/27"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Apple Scripting Execution with Administrator Privileges"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://discussions.apple.com/thread/2266150"]
 risk_score = 47
 rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/15"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Exporting Exchange Mailbox via PowerShell"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps",
@@ -34,20 +38,20 @@ process where event.type in ("start", "process_started") and

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
 [[rule.threat.technique]]
 id = "T1114"
 name = "Email Collection"
 reference = "https://attack.mitre.org/techniques/T1114/"
+[[rule.threat.technique.subtechnique]]
+id = "T1114.002"
+name = "Remote Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/002/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1114.002"
-  name = "Remote Email Collection"
-  reference = "https://attack.mitre.org/techniques/T1114/002/"
-
-[[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1005/"
-id = "T1005"
-name = "Data from Local System"


 [rule.threat.tactic]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -47,6 +47,11 @@ file names included in the encrypted file.
 - Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
 - Reset the passwords of the involved accounts.
 - Safeguard critical assets to prevent further harm or theft of data.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"]
 risk_score = 47
@@ -77,11 +82,10 @@ framework = "MITRE ATT&CK"
 id = "T1560"
 name = "Archive Collected Data"
 reference = "https://attack.mitre.org/techniques/T1560/"
-
-  [[rule.threat.technique.subtechnique]]
-  id = "T1560.001"
-  name = "Archive via Utility"
-  reference = "https://attack.mitre.org/techniques/T1560/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1560.001"
+name = "Archive via Utility"
+reference = "https://attack.mitre.org/techniques/T1560/001/"


 [rule.threat.tactic]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Connection to Commonly Abused Free SSL Certificate Providers"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d"
 severity = "low"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/25"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Port Forwarding Rule Addition"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/14"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Desktop Tunneling Detected"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"]
 risk_score = 73
 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f"
@@ -37,6 +41,7 @@ id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"

+
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Desktopimgdownldr Utility"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"]
 risk_score = 47
 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899"
@@ -33,12 +37,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-reference = "https://attack.mitre.org/techniques/T1105/"
 name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"


 [rule.threat.tactic]
 id = "TA0011"
-reference = "https://attack.mitre.org/tactics/TA0011/"
 name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,12 @@ name = "Remote File Download via MpCmdRun"
 note = """## Triage and analysis

 ### Investigating Remote File Download via MpCmdRun
-Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`."""
+Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://twitter.com/mohammadaskar2/status/1301263551638761477",
    "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/",
@@ -37,12 +42,12 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-reference = "https://attack.mitre.org/techniques/T1105/"
 name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"


 [rule.threat.tactic]
 id = "TA0011"
-reference = "https://attack.mitre.org/tactics/TA0011/"
 name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Copy via TeamViewer"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"]
 risk_score = 47
 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
@@ -29,9 +33,8 @@ file where event.type == "creation" and process.name : "TeamViewer.exe" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-reference = "https://attack.mitre.org/techniques/T1105/"
 name = "Ingress Tool Transfer"
-
+reference = "https://attack.mitre.org/techniques/T1105/"

 [[rule.threat.technique]]
 id = "T1219"
@@ -41,6 +44,6 @@ reference = "https://attack.mitre.org/techniques/T1219/"

 [rule.threat.tactic]
 id = "TA0011"
-reference = "https://attack.mitre.org/tactics/TA0011/"
 name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

@@ -1,9 +1,9 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2021/07/20"
 min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via Windows Utilities"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://lolbas-project.github.io/"]
 risk_score = 73
 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3"
@@ -45,16 +49,17 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.003"
+name = "NTDS"
+reference = "https://attack.mitre.org/techniques/T1003/003/"

-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"

-  [[rule.threat.technique.subtechnique]]
-  name = "NTDS"
-  id = "T1003.003"
-  reference = "https://attack.mitre.org/techniques/T1003/003/"

 [rule.threat.tactic]
 id = "TA0006"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2021/07/22"
+updated_date = "2022/03/31"

 [rule]
-author = ["Elastic","Austin Songer"]
+author = ["Elastic", "Austin Songer"]
 description = """
 Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files.
 Those files contain sensitive information including hashed domain and/or local credentials.
@@ -15,6 +15,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "NTDS or SAM Database File Copied"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
    "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy",
@@ -44,13 +48,15 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.002"
+name = "Security Account Manager"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+

-  [[rule.threat.technique.subtechnique]]
-  name = "Security Account Manager"
-  id = "T1003.002"
-  reference = "https://attack.mitre.org/techniques/T1003/002/"

 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,6 @@ risk_score = 73
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/08"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -82,6 +82,9 @@ Audit Policies >
 DS Access > 
 Audit Directory Service Changes (Success,Failure)
 ```
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+
 """
 references = [
    "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/13"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,12 @@ license = "Elastic License v2"
 name = "Creation or Modification of Domain Backup DPAPI private key"
 note = """## Triage and analysis

-Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys."""
+Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
    "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/",
@@ -37,21 +42,22 @@ file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_ca
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1552"
-reference = "https://attack.mitre.org/techniques/T1552/"
 name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
 [[rule.threat.technique.subtechnique]]
 id = "T1552.004"
-reference = "https://attack.mitre.org/techniques/T1552/004/"
 name = "Private Keys"
+reference = "https://attack.mitre.org/techniques/T1552/004/"
+
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
 reference = "https://attack.mitre.org/techniques/T1555/"


-
 [rule.threat.tactic]
 id = "TA0006"
-reference = "https://attack.mitre.org/tactics/TA0006/"
 name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Credential Acquisition via Registry Hive Dumping"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8",
 ]
@@ -35,16 +39,17 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.002"
+name = "Security Account Manager"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.004"
+name = "LSA Secrets"
+reference = "https://attack.mitre.org/techniques/T1003/004/"

-  [[rule.threat.technique.subtechnique]]
-  name = "Security Account Manager"
-  id = "T1003.002"
-  reference = "https://attack.mitre.org/techniques/T1003/002/"

-  [[rule.threat.technique.subtechnique]]
-  name = "LSA Secrets"
-  id = "T1003.004"
-  reference = "https://attack.mitre.org/techniques/T1003/004/"

 [rule.threat.tactic]
 id = "TA0006"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Microsoft IIS Service Account Password Dumped"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"]
 risk_score = 73
 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Microsoft IIS Connection Strings Decryption"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
    "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kerberos Traffic from Unusual Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782"
 severity = "medium"
@@ -17,6 +17,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LSASS Memory Dump Creation"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"]
 risk_score = 73
 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f"
@@ -36,16 +40,17 @@ file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdm
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1003"
-reference = "https://attack.mitre.org/techniques/T1003/"
 name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+

-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"

 [rule.threat.tactic]
 id = "TA0006"
-reference = "https://attack.mitre.org/tactics/TA0006/"
 name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/16"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -64,6 +64,9 @@ Audit Handle Manipulation (Success,Failure)
 ```

 Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+
 """
 references = [
    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mimikatz Memssp Log File Detected"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 73
 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6"
 severity = "high"
@@ -27,12 +31,12 @@ file where file.name : "mimilsa.log" and process.name : "lsass.exe"
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1003"
-reference = "https://attack.mitre.org/techniques/T1003/"
 name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"


 [rule.threat.tactic]
 id = "TA0006"
-reference = "https://attack.mitre.org/tactics/TA0006/"
 name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "development"
-updated_date = "2021/09/09"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -53,6 +53,11 @@ used the machine. These users should have their password reset.
 this capability.
 - This [resource](https://adsecurity.org/?page_id=1821) provided by ADSecurity should be used as required reading for
 detecting/preventing and understanding the different Mimikatz components.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = ["https://attack.mitre.org/software/S0002/"]
 risk_score = 99
@@ -67,19 +72,22 @@ process where event.type in ("start", "process_started") and process.name : ("cm
 and process.args : ("*DumpCreds", "*Mimikatz*")
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+

-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"

 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -62,6 +62,11 @@ consequently unauthorized access.
 - Disable user account’s ability to log in remotely.
 - Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
 - Reimage the host operating system and restore compromised files to clean versions.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
    "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
@@ -1,20 +1,23 @@
 [metadata]
 creation_date = "2021/09/27"
 maturity = "production"
-updated_date = "2021/09/27"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. 
-This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory
-for credential access.
+Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
+an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via DuplicateHandle in LSASS"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://github.com/CCob/MirrorDump"]
 risk_score = 47
 rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
@@ -40,13 +43,15 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+

-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"

 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -3,7 +3,7 @@ creation_date = "2022/03/01"
 maturity = "production"
 min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15"
 min_stack_version = "7.15.0"
-updated_date = "2022/03/01"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,6 @@ risk_score = 73
 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Searching for Saved Credentials via VaultCmd"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
    "https://rastamouse.me/blog/rdp-jump-boxes/",
@@ -39,6 +43,7 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
@@ -49,6 +54,7 @@ name = "Windows Credential Manager"
 reference = "https://attack.mitre.org/techniques/T1555/004/"


+
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/17"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"
 maturity = "production"


@@ -25,7 +25,6 @@ risk_score = 73
 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/07"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,13 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via LSASS Memory Dump"
-references = ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"]
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+references = [
+    "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
+]
 risk_score = 73
 rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
 severity = "high"
@@ -40,13 +46,15 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+

-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"

 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/16"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -51,7 +51,6 @@ risk_score = 47
 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/12/25"
 maturity = "production"
-updated_date = "2022/03/18"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -64,6 +64,9 @@ Audit Handle Manipulation (Success,Failure)

 This event will only trigger if symbolic links are created from a new process spawning for cmd.exe or powershell.exe with the correct arguments.
 Direct access to a shell and calling symbolic link creation tools will not generate an event.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+
 """
 references = [
    "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/11/27"
-updated_date = "2021/11/27"
+updated_date = "2022/03/31"
 maturity = "production"


@@ -17,7 +17,10 @@ license = "Elastic License v2"
 name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
 note = """## Config

-This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation."""
+This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
 "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"
@@ -13,6 +13,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Adding Hidden File Attribute via Attrib"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db"
 severity = "low"
@@ -32,24 +36,24 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1564"
-reference = "https://attack.mitre.org/techniques/T1564/"
 name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
 [[rule.threat.technique.subtechnique]]
 id = "T1564.001"
-reference = "https://attack.mitre.org/techniques/T1564/001/"
 name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1564/001/"



 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
 id = "TA0003"
-reference = "https://attack.mitre.org/tactics/TA0003/"
 name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/01"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -56,6 +56,11 @@ monitored by the security team, as these modifications expose the host to malwar
 - Isolate the involved hosts to prevent further post-compromise behavior.
 - If malware was found, implement temporary network rules, procedures, and segmentation required to contain it.
 - Delete or set the key to its default value.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
    "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",
@@ -1,19 +1,23 @@
 [metadata]
 creation_date = "2021/11/22"
 maturity = "production"
-updated_date = "2021/11/24"
+updated_date = "2022/03/31"

 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal
-the actions undertaken during an intrusion.
+Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised
+account to conceal the actions undertaken during an intrusion.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Console History"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
    "https://www.shellhacks.com/clear-history-powershell/",
@@ -34,19 +38,22 @@ process where event.action == "start" and
     (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*"))
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal on Host"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.003"
+name = "Clear Command History"
+reference = "https://attack.mitre.org/techniques/T1070/003/"
+

-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.003"
-  name = "Clear Command History"
-  reference = "https://attack.mitre.org/techniques/T1070/003/"

 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Event Logs"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
 severity = "low"
@@ -35,15 +39,15 @@ framework = "MITRE ATT&CK"
 id = "T1070"
 name = "Indicator Removal on Host"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.001"
+name = "Clear Windows Event Logs"
+reference = "https://attack.mitre.org/techniques/T1070/001/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.001"
-  name = "Clear Windows Event Logs"
-  reference = "https://attack.mitre.org/techniques/T1070/001/"


 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Process from Conhost"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx",
@@ -33,12 +37,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1055"
-reference = "https://attack.mitre.org/techniques/T1055/"
 name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"


 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/02/01"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation or Modification of Root Certificate"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
    "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,12 @@ license = "Elastic License v2"
 name = "Windows Defender Disabled via Registry Modification"
 note = """## Triage and analysis

-Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized."""
+Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://thedfirreport.com/2020/12/13/defender-control/"]
 risk_score = 21
 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb"
@@ -46,16 +51,16 @@ framework = "MITRE ATT&CK"
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
-[[rule.threat.technique.subtechnique]]
-id = "T1562.006"
-name = "Indicator Blocking"
-reference = "https://attack.mitre.org/techniques/T1562/006/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"

+[[rule.threat.technique.subtechnique]]
+id = "T1562.006"
+name = "Indicator Blocking"
+reference = "https://attack.mitre.org/techniques/T1562/006/"
+


 [rule.threat.tactic]
@@ -1,12 +1,13 @@
 [metadata]
 creation_date = "2021/07/20"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.
+Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder
+directory or process level.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
@@ -45,8 +46,15 @@ potentially isolate further activity.
 - If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove
 the exclusion and ensure antimalware capability has not been disabled or deleted.
 - Exclusion lists for antimalware capabilities should always be routinely monitored for review.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
-references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"]
+references = [
+    "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf",
+]
 risk_score = 47
 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b"
 severity = "medium"
@@ -68,16 +76,16 @@ framework = "MITRE ATT&CK"
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
-[[rule.threat.technique.subtechnique]]
-id = "T1562.006"
-name = "Indicator Blocking"
-reference = "https://attack.mitre.org/techniques/T1562/006/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"

+[[rule.threat.technique.subtechnique]]
+id = "T1562.006"
+name = "Indicator Blocking"
+reference = "https://attack.mitre.org/techniques/T1562/006/"
+


 [rule.threat.tactic]
@@ -96,7 +104,9 @@ name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"


+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Delete Volume USN Journal with Fsutil"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92"
 severity = "low"
@@ -32,17 +36,17 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-reference = "https://attack.mitre.org/techniques/T1070/"
 name = "Indicator Removal on Host"
+reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.004"
-reference = "https://attack.mitre.org/techniques/T1070/004/"
 name = "File Deletion"
+reference = "https://attack.mitre.org/techniques/T1070/004/"



 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

@@ -1,19 +1,23 @@
 [metadata]
 creation_date = "2022/01/31"
 maturity = "production"
-updated_date = "2022/01/31"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable
-this logging to conceal their activities in the host and evade detection.
+Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this
+logging to conceal their activities in the host and evade detection.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "PowerShell Script Block Logging Disabled"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging",
 ]
@@ -34,20 +38,19 @@ registry where event.type == "change" and

 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1562"
-reference = "https://attack.mitre.org/techniques/T1562/"
 name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.002"
+name = "Disable Windows Event Logging"
+reference = "https://attack.mitre.org/techniques/T1562/002/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.002"
-  name = "Disable Windows Event Logging"
-  reference = "https://attack.mitre.org/techniques/T1562/002/"


 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Firewall Rules via Netsh"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9"
 severity = "medium"
@@ -33,17 +37,17 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1562"
-reference = "https://attack.mitre.org/techniques/T1562/"
 name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.004"
-reference = "https://attack.mitre.org/techniques/T1562/004/"
 name = "Disable or Modify System Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/004/"



 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/07"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -12,6 +12,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disabling Windows Defender Security Settings via PowerShell"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps",
 ]
@@ -33,16 +37,17 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1562"
-reference = "https://attack.mitre.org/techniques/T1562/"
 name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
-reference = "https://attack.mitre.org/techniques/T1562/001/"
 name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"



 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,13 +1,12 @@
 [metadata]
 creation_date = "2021/05/06"
 maturity = "production"
-updated_date = "2021/09/23"
-
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
 description = """
-Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by 
+Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by
 attackers in an attempt to evade detection on a system.
 """
 from = "now-9m"
@@ -15,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Event and Security Logs Using Built-in Tools"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman"]
 risk_score = 21
 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc"
@@ -36,20 +39,22 @@ process where event.type in ("start", "process_started") and
  ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable")
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal on Host"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.001"
+name = "Clear Windows Event Logs"
+reference = "https://attack.mitre.org/techniques/T1070/001/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.001"
-  name = "Clear Windows Event Logs"
-  reference = "https://attack.mitre.org/techniques/T1070/001/"


 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,19 +1,24 @@
 [metadata]
 creation_date = "2021/07/22"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/03/31"

 [rule]
 author = ["Austin Songer"]
-description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or
-the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type,
-response, and originating IP, which are used to determine bad actors."""
-
+description = """
+Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
+data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
+IP, which are used to determine bad actors.
+"""
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "DNS-over-HTTPS Enabled via Registry"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
    "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
    "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
@@ -35,6 +40,7 @@ registry where event.type in ("creation", "change") and
  registry.data.strings : "1")
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -42,6 +48,7 @@ id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"

+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/21"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious .NET Code Compilation"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
 severity = "medium"
@@ -31,11 +35,11 @@ framework = "MITRE ATT&CK"
 id = "T1027"
 name = "Obfuscated Files or Information"
 reference = "https://attack.mitre.org/techniques/T1027/"
+[[rule.threat.technique.subtechnique]]
+id = "T1027.004"
+name = "Compile After Delivery"
+reference = "https://attack.mitre.org/techniques/T1027/004/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1027.004"
-  name = "Compile After Delivery"
-  reference = "https://attack.mitre.org/techniques/T1027/004/"


 [rule.threat.tactic]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/13"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Desktop Enabled in Windows Firewall"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7"
 severity = "medium"
@@ -37,8 +41,9 @@ name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.004"
-reference = "https://attack.mitre.org/techniques/T1562/004/"
 name = "Disable or Modify System Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/004/"
+


 [rule.threat.tactic]
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/07/07"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to
-weaken the host firewall settings.
+Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line
+tool to weaken the host firewall settings.
 """
 false_positives = ["Host Windows Firewall planned system administration changes."]
 from = "now-9m"
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enable Host Network Discovery via Netsh"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09"
 severity = "medium"
@@ -37,12 +41,13 @@ name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.004"
-reference = "https://attack.mitre.org/techniques/T1562/004/"
 name = "Disable or Modify System Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/004/"



 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0005/"
 id = "TA0005"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/09/08"
 maturity = "production"
-updated_date = "2021/09/08"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Control Panel Process with Unusual Arguments"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://www.joesandbox.com/analysis/476188/1/html"]
 risk_score = 73
 rule_id = "416697ae-e468-4093-a93d-59661fa619ec"
@@ -45,18 +49,18 @@ process where event.type in ("start", "process_started") and
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1218/"
-name = "Signed Binary Proxy Execution"
 id = "T1218"
+name = "Signed Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
 [[rule.threat.technique.subtechnique]]
-reference = "https://attack.mitre.org/techniques/T1218/002/"
-name = "Control Panel"
 id = "T1218.002"
+name = "Control Panel"
+reference = "https://attack.mitre.org/techniques/T1218/002/"



 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0005/"
-name = "Defense Evasion"
 id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

@@ -16,6 +16,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "ImageLoad via Windows Update Auto Update Client"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://dtm.uk/wuauclt/"]
 risk_score = 47
 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by an Office Application"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"]
 risk_score = 73
 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c"
@@ -46,23 +50,24 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1127"
-reference = "https://attack.mitre.org/techniques/T1127/"
 name = "Trusted Developer Utilities Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1127/"
+[[rule.threat.technique.subtechnique]]
+id = "T1127.001"
+name = "MSBuild"
+reference = "https://attack.mitre.org/techniques/T1127/001/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1127.001"
-  name = "MSBuild"
-  reference = "https://attack.mitre.org/techniques/T1127/001/"


 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
 id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"

 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by a Script Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
 severity = "low"
@@ -33,24 +37,24 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1127"
-reference = "https://attack.mitre.org/techniques/T1127/"
 name = "Trusted Developer Utilities Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1127/"
+[[rule.threat.technique.subtechnique]]
+id = "T1127.001"
+name = "MSBuild"
+reference = "https://attack.mitre.org/techniques/T1127/001/"

-  [[rule.threat.technique.subtechnique]]
-  id = "T1127.001"
-  name = "MSBuild"
-  reference = "https://attack.mitre.org/techniques/T1127/001/"


 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
 id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

--- a/Show More
+++ b/Show More