Expand timestamp override tests (#1907)

* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

rules/windows/collection_email_powershell_exchange_mailbox.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/15"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Exporting Exchange Mailbox via PowerShell"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
     "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps",
@@ -34,20 +38,20 @@ process where event.type in ("start", "process_started") and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
 [[rule.threat.technique]]
 id = "T1114"
 name = "Email Collection"
 reference = "https://attack.mitre.org/techniques/T1114/"
+[[rule.threat.technique.subtechnique]]
+id = "T1114.002"
+name = "Remote Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/002/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1114.002"
-  name = "Remote Email Collection"
-  reference = "https://attack.mitre.org/techniques/T1114/002/"
-
-[[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1005/"
-id = "T1005"
-name = "Data from Local System"
 
 
 [rule.threat.tactic]

rules/windows/collection_winrar_encryption.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -47,6 +47,11 @@ file names included in the encrypted file.
 - Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
 - Reset the passwords of the involved accounts.
 - Safeguard critical assets to prevent further harm or theft of data.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"]
 risk_score = 47
@@ -77,11 +82,10 @@ framework = "MITRE ATT&CK"
 id = "T1560"
 name = "Archive Collected Data"
 reference = "https://attack.mitre.org/techniques/T1560/"
-
-  [[rule.threat.technique.subtechnique]]
-  id = "T1560.001"
-  name = "Archive via Utility"
-  reference = "https://attack.mitre.org/techniques/T1560/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1560.001"
+name = "Archive via Utility"
+reference = "https://attack.mitre.org/techniques/T1560/001/"
 
 
 [rule.threat.tactic]

rules/windows/command_and_control_encrypted_channel_freesslcert.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Connection to Commonly Abused Free SSL Certificate Providers"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d"
 severity = "low"

rules/windows/command_and_control_port_forwarding_added_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/25"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Port Forwarding Rule Addition"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
 ]

rules/windows/command_and_control_rdp_tunnel_plink.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/14"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Desktop Tunneling Detected"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"]
 risk_score = 73
 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f"
@@ -37,6 +41,7 @@ id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
+
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"

rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Desktopimgdownldr Utility"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"]
 risk_score = 47
 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899"
@@ -33,12 +37,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-reference = "https://attack.mitre.org/techniques/T1105/"
 name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
 
 
 [rule.threat.tactic]
 id = "TA0011"
-reference = "https://attack.mitre.org/tactics/TA0011/"
 name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
 

rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,12 @@ name = "Remote File Download via MpCmdRun"
 note = """## Triage and analysis
 
 ### Investigating Remote File Download via MpCmdRun
-Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`."""
+Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://twitter.com/mohammadaskar2/status/1301263551638761477",
     "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/",
@@ -37,12 +42,12 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-reference = "https://attack.mitre.org/techniques/T1105/"
 name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
 
 
 [rule.threat.tactic]
 id = "TA0011"
-reference = "https://attack.mitre.org/tactics/TA0011/"
 name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
 

rules/windows/command_and_control_teamviewer_remote_file_copy.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Copy via TeamViewer"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"]
 risk_score = 47
 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
@@ -29,9 +33,8 @@ file where event.type == "creation" and process.name : "TeamViewer.exe" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1105"
-reference = "https://attack.mitre.org/techniques/T1105/"
 name = "Ingress Tool Transfer"
-
+reference = "https://attack.mitre.org/techniques/T1105/"
 
 [[rule.threat.technique]]
 id = "T1219"
@@ -41,6 +44,6 @@ reference = "https://attack.mitre.org/techniques/T1219/"
 
 [rule.threat.tactic]
 id = "TA0011"
-reference = "https://attack.mitre.org/tactics/TA0011/"
 name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
 

rules/windows/credential_access_cmdline_dump_tool.toml

@@ -1,9 +1,9 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2021/07/20"
 min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via Windows Utilities"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://lolbas-project.github.io/"]
 risk_score = 73
 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3"
@@ -45,16 +49,17 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.003"
+name = "NTDS"
+reference = "https://attack.mitre.org/techniques/T1003/003/"
 
-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"
 
-  [[rule.threat.technique.subtechnique]]
-  name = "NTDS"
-  id = "T1003.003"
-  reference = "https://attack.mitre.org/techniques/T1003/003/"
 
 [rule.threat.tactic]
 id = "TA0006"

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2021/07/22"
+updated_date = "2022/03/31"
 
 [rule]
-author = ["Elastic","Austin Songer"]
+author = ["Elastic", "Austin Songer"]
 description = """
 Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files.
 Those files contain sensitive information including hashed domain and/or local credentials.
@@ -15,6 +15,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "NTDS or SAM Database File Copied"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
     "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy",
@@ -44,13 +48,15 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.002"
+name = "Security Account Manager"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  name = "Security Account Manager"
-  id = "T1003.002"
-  reference = "https://attack.mitre.org/techniques/T1003/002/"
 
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/windows/credential_access_credential_dumping_msbuild.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,6 @@ risk_score = 73
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/credential_access_dcsync_replication_rights.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/08"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -82,6 +82,9 @@ Audit Policies >
 DS Access > 
 Audit Directory Service Changes (Success,Failure)
 ```
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+
 """
 references = [
     "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",

rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/13"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,12 @@ license = "Elastic License v2"
 name = "Creation or Modification of Domain Backup DPAPI private key"
 note = """## Triage and analysis
 
-Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys."""
+Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/",
     "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/",
@@ -37,21 +42,22 @@ file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_ca
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1552"
-reference = "https://attack.mitre.org/techniques/T1552/"
 name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
 [[rule.threat.technique.subtechnique]]
 id = "T1552.004"
-reference = "https://attack.mitre.org/techniques/T1552/004/"
 name = "Private Keys"
+reference = "https://attack.mitre.org/techniques/T1552/004/"
+
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
 reference = "https://attack.mitre.org/techniques/T1555/"
 
 
-
 [rule.threat.tactic]
 id = "TA0006"
-reference = "https://attack.mitre.org/tactics/TA0006/"
 name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
 

rules/windows/credential_access_dump_registry_hives.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Credential Acquisition via Registry Hive Dumping"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8",
 ]
@@ -35,16 +39,17 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.002"
+name = "Security Account Manager"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.004"
+name = "LSA Secrets"
+reference = "https://attack.mitre.org/techniques/T1003/004/"
 
-  [[rule.threat.technique.subtechnique]]
-  name = "Security Account Manager"
-  id = "T1003.002"
-  reference = "https://attack.mitre.org/techniques/T1003/002/"
 
-  [[rule.threat.technique.subtechnique]]
-  name = "LSA Secrets"
-  id = "T1003.004"
-  reference = "https://attack.mitre.org/techniques/T1003/004/"
 
 [rule.threat.tactic]
 id = "TA0006"

rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Microsoft IIS Service Account Password Dumped"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"]
 risk_score = 73
 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"

rules/windows/credential_access_iis_connectionstrings_dumping.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Microsoft IIS Connection Strings Decryption"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
     "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",

rules/windows/credential_access_kerberoasting_unusual_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kerberos Traffic from Unusual Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782"
 severity = "medium"

rules/windows/credential_access_lsass_memdump_file_created.toml

@@ -17,6 +17,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LSASS Memory Dump Creation"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"]
 risk_score = 73
 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f"
@@ -36,16 +40,17 @@ file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdm
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1003"
-reference = "https://attack.mitre.org/techniques/T1003/"
 name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"
 
 [rule.threat.tactic]
 id = "TA0006"
-reference = "https://attack.mitre.org/tactics/TA0006/"
 name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
 

rules/windows/credential_access_lsass_memdump_handle_access.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/16"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -64,6 +64,9 @@ Audit Handle Manipulation (Success,Failure)
 ```
 
 Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+
 """
 references = [
     "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656",

rules/windows/credential_access_mimikatz_memssp_default_logs.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mimikatz Memssp Log File Detected"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 73
 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6"
 severity = "high"
@@ -27,12 +31,12 @@ file where file.name : "mimilsa.log" and process.name : "lsass.exe"
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1003"
-reference = "https://attack.mitre.org/techniques/T1003/"
 name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
 
 
 [rule.threat.tactic]
 id = "TA0006"
-reference = "https://attack.mitre.org/tactics/TA0006/"
 name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
 

rules/windows/credential_access_mimikatz_powershell_module.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "development"
-updated_date = "2021/09/09"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -53,6 +53,11 @@ used the machine. These users should have their password reset.
 this capability.
 - This [resource](https://adsecurity.org/?page_id=1821) provided by ADSecurity should be used as required reading for
 detecting/preventing and understanding the different Mimikatz components.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = ["https://attack.mitre.org/software/S0002/"]
 risk_score = 99
@@ -67,19 +72,22 @@ process where event.type in ("start", "process_started") and process.name : ("cm
 and process.args : ("*DumpCreds", "*Mimikatz*")
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"
 
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/windows/credential_access_mod_wdigest_security_provider.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -62,6 +62,11 @@ consequently unauthorized access.
 - Disable user account’s ability to log in remotely.
 - Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
 - Reimage the host operating system and restore compromised files to clean versions.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
     "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",

rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

@@ -1,20 +1,23 @@
 [metadata]
 creation_date = "2021/09/27"
 maturity = "production"
-updated_date = "2021/09/27"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. 
-This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory
-for credential access.
+Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
+an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via DuplicateHandle in LSASS"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://github.com/CCob/MirrorDump"]
 risk_score = 47
 rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
@@ -40,13 +43,15 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"
 
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/windows/credential_access_remote_sam_secretsdump.toml

@@ -3,7 +3,7 @@ creation_date = "2022/03/01"
 maturity = "production"
 min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15"
 min_stack_version = "7.15.0"
-updated_date = "2022/03/01"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,6 @@ risk_score = 73
 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/credential_access_saved_creds_vaultcmd.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Searching for Saved Credentials via VaultCmd"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
     "https://rastamouse.me/blog/rdp-jump-boxes/",
@@ -39,6 +43,7 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
@@ -49,6 +54,7 @@ name = "Windows Credential Manager"
 reference = "https://attack.mitre.org/techniques/T1555/004/"
 
 
+
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"

rules/windows/credential_access_suspicious_comsvcs_imageload.toml

@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/17"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"
 maturity = "production"
 
 
@@ -25,7 +25,6 @@ risk_score = 73
 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/credential_access_suspicious_lsass_access_memdump.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/07"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,13 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via LSASS Memory Dump"
-references = ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"]
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+references = [
+    "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
+]
 risk_score = 73
 rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
 severity = "high"
@@ -40,13 +46,15 @@ framework = "MITRE ATT&CK"
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  name = "LSASS Memory"
-  id = "T1003.001"
-  reference = "https://attack.mitre.org/techniques/T1003/001/"
 
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/16"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -51,7 +51,6 @@ risk_score = 47
 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/12/25"
 maturity = "production"
-updated_date = "2022/03/18"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -64,6 +64,9 @@ Audit Handle Manipulation (Success,Failure)
 
 This event will only trigger if symbolic links are created from a new process spawning for cmd.exe or powershell.exe with the correct arguments.
 Direct access to a shell and calling symbolic link creation tools will not generate an event.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+
 """
 references = [
     "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml

@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/11/27"
-updated_date = "2021/11/27"
+updated_date = "2022/03/31"
 maturity = "production"
 
 
@@ -17,7 +17,10 @@ license = "Elastic License v2"
 name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
 note = """## Config
 
-This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation."""
+This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
 "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
 "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

@@ -13,6 +13,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Adding Hidden File Attribute via Attrib"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db"
 severity = "low"
@@ -32,24 +36,24 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1564"
-reference = "https://attack.mitre.org/techniques/T1564/"
 name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
 [[rule.threat.technique.subtechnique]]
 id = "T1564.001"
-reference = "https://attack.mitre.org/techniques/T1564/001/"
 name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1564/001/"
 
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0003"
-reference = "https://attack.mitre.org/tactics/TA0003/"
 name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
 

rules/windows/defense_evasion_amsienable_key_mod.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/01"
 maturity = "production"
-updated_date = "2022/03/07"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -56,6 +56,11 @@ monitored by the security team, as these modifications expose the host to malwar
 - Isolate the involved hosts to prevent further post-compromise behavior.
 - If malware was found, implement temporary network rules, procedures, and segmentation required to contain it.
 - Delete or set the key to its default value.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
     "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",

rules/windows/defense_evasion_clearing_windows_console_history.toml

@@ -1,19 +1,23 @@
 [metadata]
 creation_date = "2021/11/22"
 maturity = "production"
-updated_date = "2021/11/24"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal
-the actions undertaken during an intrusion.
+Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised
+account to conceal the actions undertaken during an intrusion.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Console History"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
     "https://www.shellhacks.com/clear-history-powershell/",
@@ -34,19 +38,22 @@ process where event.action == "start" and
      (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*"))
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal on Host"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.003"
+name = "Clear Command History"
+reference = "https://attack.mitre.org/techniques/T1070/003/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.003"
-  name = "Clear Command History"
-  reference = "https://attack.mitre.org/techniques/T1070/003/"
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_clearing_windows_event_logs.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Event Logs"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
 severity = "low"
@@ -35,15 +39,15 @@ framework = "MITRE ATT&CK"
 id = "T1070"
 name = "Indicator Removal on Host"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.001"
+name = "Clear Windows Event Logs"
+reference = "https://attack.mitre.org/techniques/T1070/001/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.001"
-  name = "Clear Windows Event Logs"
-  reference = "https://attack.mitre.org/techniques/T1070/001/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_code_injection_conhost.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Process from Conhost"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/",
     "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx",
@@ -33,12 +37,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1055"
-reference = "https://attack.mitre.org/techniques/T1055/"
 name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_create_mod_root_certificate.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/02/01"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -16,6 +16,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation or Modification of Root Certificate"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
     "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate",

rules/windows/defense_evasion_defender_disabled_via_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,12 @@ license = "Elastic License v2"
 name = "Windows Defender Disabled via Registry Modification"
 note = """## Triage and analysis
 
-Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized."""
+Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://thedfirreport.com/2020/12/13/defender-control/"]
 risk_score = 21
 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb"
@@ -46,16 +51,16 @@ framework = "MITRE ATT&CK"
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
-[[rule.threat.technique.subtechnique]]
-id = "T1562.006"
-name = "Indicator Blocking"
-reference = "https://attack.mitre.org/techniques/T1562/006/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1562.006"
+name = "Indicator Blocking"
+reference = "https://attack.mitre.org/techniques/T1562/006/"
+
 
 
 [rule.threat.tactic]

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

@@ -1,12 +1,13 @@
 [metadata]
 creation_date = "2021/07/20"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.
+Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder
+directory or process level.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
@@ -45,8 +46,15 @@ potentially isolate further activity.
 - If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove
 the exclusion and ensure antimalware capability has not been disabled or deleted.
 - Exclusion lists for antimalware capabilities should always be routinely monitored for review.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
-references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"]
+references = [
+    "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf",
+]
 risk_score = 47
 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b"
 severity = "medium"
@@ -68,16 +76,16 @@ framework = "MITRE ATT&CK"
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
-[[rule.threat.technique.subtechnique]]
-id = "T1562.006"
-name = "Indicator Blocking"
-reference = "https://attack.mitre.org/techniques/T1562/006/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1562.006"
+name = "Indicator Blocking"
+reference = "https://attack.mitre.org/techniques/T1562/006/"
+
 
 
 [rule.threat.tactic]
@@ -96,7 +104,9 @@ name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Delete Volume USN Journal with Fsutil"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92"
 severity = "low"
@@ -32,17 +36,17 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
-reference = "https://attack.mitre.org/techniques/T1070/"
 name = "Indicator Removal on Host"
+reference = "https://attack.mitre.org/techniques/T1070/"
 [[rule.threat.technique.subtechnique]]
 id = "T1070.004"
-reference = "https://attack.mitre.org/techniques/T1070/004/"
 name = "File Deletion"
+reference = "https://attack.mitre.org/techniques/T1070/004/"
 
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

@@ -1,19 +1,23 @@
 [metadata]
 creation_date = "2022/01/31"
 maturity = "production"
-updated_date = "2022/01/31"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable
-this logging to conceal their activities in the host and evade detection.
+Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this
+logging to conceal their activities in the host and evade detection.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "PowerShell Script Block Logging Disabled"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging",
 ]
@@ -34,20 +38,19 @@ registry where event.type == "change" and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1562"
-reference = "https://attack.mitre.org/techniques/T1562/"
 name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.002"
+name = "Disable Windows Event Logging"
+reference = "https://attack.mitre.org/techniques/T1562/002/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.002"
-  name = "Disable Windows Event Logging"
-  reference = "https://attack.mitre.org/techniques/T1562/002/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Firewall Rules via Netsh"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9"
 severity = "medium"
@@ -33,17 +37,17 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1562"
-reference = "https://attack.mitre.org/techniques/T1562/"
 name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.004"
-reference = "https://attack.mitre.org/techniques/T1562/004/"
 name = "Disable or Modify System Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/004/"
 
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/07"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -12,6 +12,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disabling Windows Defender Security Settings via PowerShell"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps",
 ]
@@ -33,16 +37,17 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1562"
-reference = "https://attack.mitre.org/techniques/T1562/"
 name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
-reference = "https://attack.mitre.org/techniques/T1562/001/"
 name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_disabling_windows_logs.toml

@@ -1,13 +1,12 @@
 [metadata]
 creation_date = "2021/05/06"
 maturity = "production"
-updated_date = "2021/09/23"
-
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
 description = """
-Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by 
+Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by
 attackers in an attempt to evade detection on a system.
 """
 from = "now-9m"
@@ -15,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Event and Security Logs Using Built-in Tools"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman"]
 risk_score = 21
 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc"
@@ -36,20 +39,22 @@ process where event.type in ("start", "process_started") and
   ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable")
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal on Host"
 reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.001"
+name = "Clear Windows Event Logs"
+reference = "https://attack.mitre.org/techniques/T1070/001/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1070.001"
-  name = "Clear Windows Event Logs"
-  reference = "https://attack.mitre.org/techniques/T1070/001/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_dns_over_https_enabled.toml

@@ -1,19 +1,24 @@
 [metadata]
 creation_date = "2021/07/22"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Austin Songer"]
-description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or
-the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type,
-response, and originating IP, which are used to determine bad actors."""
-
+description = """
+Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating
+data. With this enabled, an organization will lose visibility into data such as query type, response, and originating
+IP, which are used to determine bad actors.
+"""
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "DNS-over-HTTPS Enabled via Registry"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
     "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
@@ -35,6 +40,7 @@ registry where event.type in ("creation", "change") and
   registry.data.strings : "1")
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -42,6 +48,7 @@ id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/21"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious .NET Code Compilation"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
 severity = "medium"
@@ -31,11 +35,11 @@ framework = "MITRE ATT&CK"
 id = "T1027"
 name = "Obfuscated Files or Information"
 reference = "https://attack.mitre.org/techniques/T1027/"
+[[rule.threat.technique.subtechnique]]
+id = "T1027.004"
+name = "Compile After Delivery"
+reference = "https://attack.mitre.org/techniques/T1027/004/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1027.004"
-  name = "Compile After Delivery"
-  reference = "https://attack.mitre.org/techniques/T1027/004/"
 
 
 [rule.threat.tactic]

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/13"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Desktop Enabled in Windows Firewall"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7"
 severity = "medium"
@@ -37,8 +41,9 @@ name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.004"
-reference = "https://attack.mitre.org/techniques/T1562/004/"
 name = "Disable or Modify System Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/004/"
+
 
 
 [rule.threat.tactic]

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/07/07"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to
-weaken the host firewall settings.
+Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line
+tool to weaken the host firewall settings.
 """
 false_positives = ["Host Windows Firewall planned system administration changes."]
 from = "now-9m"
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enable Host Network Discovery via Netsh"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09"
 severity = "medium"
@@ -37,12 +41,13 @@ name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
 [[rule.threat.technique.subtechnique]]
 id = "T1562.004"
-reference = "https://attack.mitre.org/techniques/T1562/004/"
 name = "Disable or Modify System Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/004/"
 
 
 
 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0005/"
 id = "TA0005"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/09/08"
 maturity = "production"
-updated_date = "2021/09/08"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Control Panel Process with Unusual Arguments"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://www.joesandbox.com/analysis/476188/1/html"]
 risk_score = 73
 rule_id = "416697ae-e468-4093-a93d-59661fa619ec"
@@ -45,18 +49,18 @@ process where event.type in ("start", "process_started") and
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1218/"
-name = "Signed Binary Proxy Execution"
 id = "T1218"
+name = "Signed Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
 [[rule.threat.technique.subtechnique]]
-reference = "https://attack.mitre.org/techniques/T1218/002/"
-name = "Control Panel"
 id = "T1218.002"
+name = "Control Panel"
+reference = "https://attack.mitre.org/techniques/T1218/002/"
 
 
 
 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0005/"
-name = "Defense Evasion"
 id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

@@ -16,6 +16,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "ImageLoad via Windows Update Auto Update Client"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://dtm.uk/wuauclt/"]
 risk_score = 47
 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3"

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by an Office Application"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"]
 risk_score = 73
 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c"
@@ -46,23 +50,24 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1127"
-reference = "https://attack.mitre.org/techniques/T1127/"
 name = "Trusted Developer Utilities Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1127/"
+[[rule.threat.technique.subtechnique]]
+id = "T1127.001"
+name = "MSBuild"
+reference = "https://attack.mitre.org/techniques/T1127/001/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1127.001"
-  name = "MSBuild"
-  reference = "https://attack.mitre.org/techniques/T1127/001/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by a Script Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
 severity = "low"
@@ -33,24 +37,24 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1127"
-reference = "https://attack.mitre.org/techniques/T1127/"
 name = "Trusted Developer Utilities Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1127/"
+[[rule.threat.technique.subtechnique]]
+id = "T1127.001"
+name = "MSBuild"
+reference = "https://attack.mitre.org/techniques/T1127/001/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1127.001"
-  name = "MSBuild"
-  reference = "https://attack.mitre.org/techniques/T1127/001/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
 

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by a System Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3"
 severity = "medium"
@@ -33,24 +37,24 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1127"
-reference = "https://attack.mitre.org/techniques/T1127/"
 name = "Trusted Developer Utilities Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1127/"
+[[rule.threat.technique.subtechnique]]
+id = "T1127.001"
+name = "MSBuild"
+reference = "https://attack.mitre.org/techniques/T1127/001/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1127.001"
-  name = "MSBuild"
-  reference = "https://attack.mitre.org/techniques/T1127/001/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
 

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Using an Alternate Name"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4"
 severity = "low"
@@ -33,17 +37,17 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1036"
-reference = "https://attack.mitre.org/techniques/T1036/"
 name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.003"
+name = "Rename System Utilities"
+reference = "https://attack.mitre.org/techniques/T1036/003/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1036.003"
-  name = "Rename System Utilities"
-  reference = "https://attack.mitre.org/techniques/T1036/003/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started an Unusual Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"]
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6"
@@ -39,17 +43,17 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1027"
-reference = "https://attack.mitre.org/techniques/T1027/"
 name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
 [[rule.threat.technique.subtechnique]]
 id = "T1027.004"
-reference = "https://attack.mitre.org/techniques/T1027/004/"
 name = "Compile After Delivery"
+reference = "https://attack.mitre.org/techniques/T1027/004/"
 
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential DLL SideLoading via Trusted Microsoft Programs"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 73
 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd"
 severity = "high"
@@ -40,11 +44,12 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1036"
-reference = "https://attack.mitre.org/techniques/T1036/"
 name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_execution_windefend_unusual_path.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/07/07"
 maturity = "production"
-updated_date = "2021/09/22"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic", "Dennis Perto"]
 description = """
-Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking
-starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade
-defenses via side-loading a malicious DLL within the memory space of one of those processes.
+Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being
+renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via
+side-loading a malicious DLL within the memory space of one of those processes.
 """
 false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."]
 from = "now-9m"
@@ -16,6 +16,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/",
 ]
@@ -50,7 +54,9 @@ name = "DLL Side-Loading"
 reference = "https://attack.mitre.org/techniques/T1574/002/"
 
 
+
 [rule.threat.tactic]
+id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-id = "TA0005"
+

rules/windows/defense_evasion_file_creation_mult_extension.toml

@@ -1,9 +1,9 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/09/23"
 min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -17,6 +17,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Executable File Creation with Multiple Extensions"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
 severity = "medium"
@@ -47,19 +51,18 @@ reference = "https://attack.mitre.org/techniques/T1036/004/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1204"
 name = "User Execution"
 reference = "https://attack.mitre.org/techniques/T1204/"
+[[rule.threat.technique.subtechnique]]
+id = "T1204.002"
+name = "Malicious File"
+reference = "https://attack.mitre.org/techniques/T1204/002/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1204.002"
-  name = "Malicious File"
-  reference = "https://attack.mitre.org/techniques/T1204/002/"
 
 [rule.threat.tactic]
 id = "TA0002"

rules/windows/defense_evasion_iis_httplogging_disabled.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/04/14"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "IIS HTTP Logging Disabled"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 73
 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5"
 severity = "high"
@@ -34,17 +38,17 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1562"
-reference = "https://attack.mitre.org/techniques/T1562/"
 name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.002"
+name = "Disable Windows Event Logging"
+reference = "https://attack.mitre.org/techniques/T1562/002/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.002"
-  name = "Disable Windows Event Logging"
-  reference = "https://attack.mitre.org/techniques/T1562/002/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/24"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Endpoint Security Parent Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a"
 severity = "medium"

rules/windows/defense_evasion_masquerading_renamed_autoit.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Renamed AutoIt Scripts Interpreter"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902"
 severity = "medium"
@@ -33,11 +37,11 @@ framework = "MITRE ATT&CK"
 id = "T1036"
 name = "Masquerading"
 reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.003"
+name = "Rename System Utilities"
+reference = "https://attack.mitre.org/techniques/T1036/003/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1036.003"
-  name = "Rename System Utilities"
-  reference = "https://attack.mitre.org/techniques/T1036/003/"
 
 
 [rule.threat.tactic]

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/24"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious WerFault Child Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
     "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
@@ -50,11 +54,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1036"
-reference = "https://attack.mitre.org/techniques/T1036/"
 name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Program Files Directory Masquerading"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
 severity = "medium"
@@ -35,11 +39,11 @@ framework = "MITRE ATT&CK"
 id = "T1036"
 name = "Masquerading"
 reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.005"
+name = "Match Legitimate Name or Location"
+reference = "https://attack.mitre.org/techniques/T1036/005/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1036.005"
-  name = "Match Legitimate Name or Location"
-  reference = "https://attack.mitre.org/techniques/T1036/005/"
 
 
 [rule.threat.tactic]

rules/windows/defense_evasion_microsoft_defender_tampering.toml

@@ -1,20 +1,24 @@
 [metadata]
 creation_date = "2021/10/18"
 maturity = "production"
-updated_date = "2022/03/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft
-Defender features to evade detection and conceal malicious behavior.
+Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with
+Microsoft Defender features to evade detection and conceal malicious behavior.
 """
 false_positives = ["Legitimate Windows Defender configuration changes"]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Windows Defender Tampering"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
     "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
@@ -64,6 +68,7 @@ registry where event.type in ("creation", "change") and
   registry.data.strings : ("1", "0x00000001"))
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -71,7 +76,9 @@ id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/12"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -57,6 +57,11 @@ positives (B-TPs), as this configuration can put the user and the domain at risk
 - Reset the registry key value.
 - Isolate the host if malicious code was executed and reset the involved account's passwords.
 - Explore using GPOs to manage security settings for Microsoft Office macros.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 risk_score = 47
 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3"
@@ -78,30 +83,31 @@ registry where event.type == "change" and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1112"
 name = "Modify Registry"
 reference = "https://attack.mitre.org/techniques/T1112/"
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1204"
 name = "User Execution"
 reference = "https://attack.mitre.org/techniques/T1204/"
+[[rule.threat.technique.subtechnique]]
+id = "T1204.002"
+name = "Malicious File"
+reference = "https://attack.mitre.org/techniques/T1204/002/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1204.002"
-  name = "Malicious File"
-  reference = "https://attack.mitre.org/techniques/T1204/002/"
 
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

@@ -1,8 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2022/02/16"
-
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Austin Songer"]
@@ -22,6 +21,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Firewall Disabled via PowerShell"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
     "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
@@ -43,17 +46,19 @@ process where event.action == "start" and
   (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*"))
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.004"
+name = "Disable or Modify System Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/004/"
+
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1562.004"
-  reference = "https://attack.mitre.org/techniques/T1562/004/"
-  name = "Disable or Modify System Firewall"
 
 [rule.threat.tactic]
 id = "TA0005"

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/23"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Scheduled Tasks AT Command Enabled"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"]
 risk_score = 47
 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"

rules/windows/defense_evasion_sdelete_like_filename_rename.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,12 @@ license = "Elastic License v2"
 name = "Potential Secure File Deletion via SDelete Utility"
 note = """## Triage and analysis
 
-Verify process details such as command line and hash to confirm this activity legitimacy."""
+Verify process details such as command line and hash to confirm this activity legitimacy.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5"
 severity = "low"

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "SolarWinds Process Disabling Services via Registry"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
 ]

rules/windows/defense_evasion_suspicious_certutil_commands.toml

@@ -8,8 +8,8 @@ min_stack_version = "8.2"
 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
-Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of 
-Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or 
+Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of
+Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or
 data exfiltration.
 """
 from = "now-9m"
@@ -17,6 +17,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious CertUtil Commands"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://twitter.com/Moriarty_Meng/status/984380793383370752",
     "https://twitter.com/egre55/status/1087685529016193025",
@@ -43,12 +47,12 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1140"
-reference = "https://attack.mitre.org/techniques/T1140/"
 name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/05/28"
 maturity = "production"
-updated_date = "2021/05/28"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Execution from a Mounted Device"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
     "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
@@ -37,44 +41,45 @@ process where event.type == "start" and process.executable : "C:\\*" and
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1218/"
 id = "T1218"
 name = "Signed Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
 [[rule.threat.technique.subtechnique]]
-reference = "https://attack.mitre.org/techniques/T1218/011/"
-id = "T1218.011"
-name = "Rundll32"
-
-[[rule.threat.technique.subtechnique]]
-reference = "https://attack.mitre.org/techniques/T1218/005/"
 id = "T1218.005"
 name = "Mshta"
+reference = "https://attack.mitre.org/techniques/T1218/005/"
 
 [[rule.threat.technique.subtechnique]]
-reference = "https://attack.mitre.org/techniques/T1218/010/"
 id = "T1218.010"
 name = "Regsvr32"
+reference = "https://attack.mitre.org/techniques/T1218/010/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1218.011"
+name = "Rundll32"
+reference = "https://attack.mitre.org/techniques/T1218/011/"
 
 
 
 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0005/"
 id = "TA0005"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1059/"
 id = "T1059"
 name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
 [[rule.threat.technique.subtechnique]]
-reference = "https://attack.mitre.org/techniques/T1059/001/"
 id = "T1059.001"
 name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
 
 
 
 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0002/"
 id = "TA0002"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/21"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,6 @@ risk_score = 73
 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

@@ -1,23 +1,27 @@
 [metadata]
 creation_date = "2021/10/11"
 maturity = "production"
-updated_date = "2021/10/11"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland
-Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked
-functions by writing malicious functions that call syscalls directly.
+Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook
+userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass
+hooked functions by writing malicious functions that call syscalls directly.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Process Access via Direct System Call"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://twitter.com/SBousseaden/status/1278013896440324096",
-    "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"
+    "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs",
 ]
 risk_score = 73
 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a"
@@ -47,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1055/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/24"
 maturity = "production"
-updated_date = "2021/10/24"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,6 @@ risk_score = 43
 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/defense_evasion_suspicious_zoom_child_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Zoom Child Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa"
 severity = "medium"

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Executable File Creation by a System Critical Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 73
 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a"
 severity = "high"
@@ -40,11 +44,12 @@ file where event.type != "deletion" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1211"
-reference = "https://attack.mitre.org/techniques/T1211/"
 name = "Exploitation for Defense Evasion"
+reference = "https://attack.mitre.org/techniques/T1211/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_unusual_ads_file_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual File Creation - Alternate Data Stream"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95"
 severity = "medium"

rules/windows/defense_evasion_unusual_dir_ads.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Process Execution Path - Alternate Data Stream"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242"
 severity = "medium"
@@ -39,7 +43,9 @@ name = "NTFS File Attributes"
 reference = "https://attack.mitre.org/techniques/T1564/004/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/05/28"
 maturity = "production"
-updated_date = "2021/05/28"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,6 @@ risk_score = 47
 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/defense_evasion_unusual_system_vp_child_program.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Child Process from a System Virtual Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 73
 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1"
 severity = "high"
@@ -29,11 +33,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1055"
-reference = "https://attack.mitre.org/techniques/T1055/"
 name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_via_filter_manager.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Evasion via Filter Manager"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a"
 severity = "medium"
@@ -39,8 +43,9 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
 

rules/windows/defense_evasion_whitespace_padding_in_command_line.toml

@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2021/07/30"
 maturity = "production"
-updated_date = "2021/12/06"
 min_stack_comments = "EQL regex had a bug when dealing with wildcard fields that was fixed in 7.16 (elastic/elasticsearch/issues/78391)"
 min_stack_version = "7.16.0"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies process execution events where the command line value contains a long sequence of whitespace characters or 
-multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding 
-their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious 
+Identifies process execution events where the command line value contains a long sequence of whitespace characters or
+multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding
+their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious
 behavior.
 """
 from = "now-9m"
@@ -21,7 +21,12 @@ name = "Whitespace Padding in Process Command Line"
 note = """## Triage and analysis
 
 - Analyze the command line of the process in question for evidence of malicious code execution.
-- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution."""
+- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = ["https://twitter.com/JohnLaTwC/status/1419251082736201737"]
 risk_score = 47
 rule_id = "e0dacebe-4311-4d50-9387-b17e89c2e7fd"
@@ -38,10 +43,12 @@ process where event.type in ("start", "process_started") and
   process.command_line regex ".*(.*[ ]{5,}[^ ]*){3,}.*"
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0005"
-reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/windows/defense_evasion_workfolders_control_execution.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/03/02"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -41,6 +41,11 @@ behavior.
 - If no lateral movement was identified during investigation, take the effected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.
 - Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.
 - Confirm with user whether this was expected or not and reset their password.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
     "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview",

rules/windows/discovery_adfind_command_activity.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/19"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -50,6 +50,11 @@ isolation, so reviewing previous logs/activity from impacted machines can be ver
 post-compromise behavior.
 - It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate
 purposes, so understanding the intent behind the activity will help determine the appropropriate response.
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
 references = [
     "http://www.joeware.net/freetools/tools/adfind/",
@@ -81,6 +86,11 @@ process where event.type in ("start", "process_started") and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1018"
+name = "Remote System Discovery"
+reference = "https://attack.mitre.org/techniques/T1018/"
+
 [[rule.threat.technique]]
 id = "T1069"
 name = "Permission Groups Discovery"
@@ -107,12 +117,6 @@ name = "Domain Trust Discovery"
 reference = "https://attack.mitre.org/techniques/T1482/"
 
 
-[[rule.threat.technique]]
-id = "T1018"
-name = "Remote System Discovery"
-reference = "https://attack.mitre.org/techniques/T1018/"
-
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"

rules/windows/discovery_admin_recon.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Administrator Accounts"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "871ea072-1b71-4def-b016-6278b505138d"
 severity = "low"
@@ -43,11 +47,11 @@ framework = "MITRE ATT&CK"
 id = "T1069"
 name = "Permission Groups Discovery"
 reference = "https://attack.mitre.org/techniques/T1069/"
+[[rule.threat.technique.subtechnique]]
+id = "T1069.002"
+name = "Domain Groups"
+reference = "https://attack.mitre.org/techniques/T1069/002/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1069.002"
-  name = "Domain Groups"
-  reference = "https://attack.mitre.org/techniques/T1069/002/"
 
 [[rule.threat.technique]]
 id = "T1087"

rules/windows/discovery_file_dir_discovery.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,6 @@ risk_score = 21
 rule_id = "7b08314d-47a0-4b71-ae4e-16544176924f"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
-timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/windows/discovery_net_command_system_account.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/18"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Net command via SYSTEM account"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed"
 severity = "low"
@@ -34,11 +38,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1033"
-reference = "https://attack.mitre.org/techniques/T1033/"
 name = "System Owner/User Discovery"
+reference = "https://attack.mitre.org/techniques/T1033/"
 
 
 [rule.threat.tactic]
 id = "TA0007"
-reference = "https://attack.mitre.org/tactics/TA0007/"
 name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/windows/discovery_net_view.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Network Enumeration"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1"
 severity = "medium"

rules/windows/discovery_peripheral_device.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Peripheral Device Discovery"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4"
 severity = "low"

rules/windows/discovery_privileged_localgroup_membership.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/15"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -18,6 +18,9 @@ note = """## Config
 
 This will require Windows security event 4799 by enabling audit success for the Windows Account Management category and
 the Security Group Management subcategory.
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+
 """
 risk_score = 43
 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4"

rules/windows/discovery_remote_system_discovery_commands_windows.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote System Discovery Commands"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a"
 severity = "low"

rules/windows/discovery_security_software_wmic.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/19"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Security Software Discovery using WMIC"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922"
 severity = "medium"
@@ -34,11 +38,11 @@ framework = "MITRE ATT&CK"
 id = "T1518"
 name = "Software Discovery"
 reference = "https://attack.mitre.org/techniques/T1518/"
+[[rule.threat.technique.subtechnique]]
+id = "T1518.001"
+name = "Security Software Discovery"
+reference = "https://attack.mitre.org/techniques/T1518/001/"
 
-  [[rule.threat.technique.subtechnique]]
-  id = "T1518.001"
-  name = "Security Software Discovery"
-  reference = "https://attack.mitre.org/techniques/T1518/001/"
 
 
 [rule.threat.tactic]

rules/windows/discovery_whoami_command_activity.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Whoami Process Activity"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2"
 severity = "low"
@@ -36,12 +40,12 @@ process where event.type in ("start", "process_started") and process.name : "who
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1033"
-reference = "https://attack.mitre.org/techniques/T1033/"
 name = "System Owner/User Discovery"
+reference = "https://attack.mitre.org/techniques/T1033/"
 
 
 [rule.threat.tactic]
 id = "TA0007"
-reference = "https://attack.mitre.org/tactics/TA0007/"
 name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
 

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Command Execution via SolarWinds Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
     "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",

rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious SolarWinds Child Process"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
     "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc",

rules/windows/execution_com_object_xwizard.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/20"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -15,6 +15,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution of COM object via Xwizard"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
     "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",

rules/windows/execution_command_shell_started_by_svchost.toml

@@ -13,6 +13,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Svchost spawning Cmd"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2"
 severity = "low"
@@ -39,11 +43,12 @@ process where event.type == "start" and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1059"
-reference = "https://attack.mitre.org/techniques/T1059/"
 name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
 
 
 [rule.threat.tactic]
 id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/execution_command_shell_started_by_unusual_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/21"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -11,6 +11,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Parent Process for cmd.exe"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"
 severity = "medium"
@@ -52,12 +56,12 @@ process where event.type in ("start", "process_started") and
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1059"
-reference = "https://attack.mitre.org/techniques/T1059/"
 name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
 
 
 [rule.threat.tactic]
 id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
 

rules/windows/execution_command_shell_via_rundll32.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/19"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -12,6 +12,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Command Shell Activity Started via RunDLL32"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093"
 severity = "low"
@@ -46,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/execution_enumeration_via_wmiprvse.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration Command Spawned via WMIPrvSE"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 21
 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
 severity = "low"
@@ -64,29 +68,26 @@ reference = "https://attack.mitre.org/techniques/T1047/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "T1518"
-name = "Software Discovery"
-reference = "https://attack.mitre.org/techniques/T1518/"
-
+id = "T1018"
+name = "Remote System Discovery"
+reference = "https://attack.mitre.org/techniques/T1018/"
 
 [[rule.threat.technique]]
 id = "T1087"
 name = "Account Discovery"
 reference = "https://attack.mitre.org/techniques/T1087/"
 
-
 [[rule.threat.technique]]
-id = "T1018"
-name = "Remote System Discovery"
-reference = "https://attack.mitre.org/techniques/T1018/"
+id = "T1518"
+name = "Software Discovery"
+reference = "https://attack.mitre.org/techniques/T1518/"
 
 
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/windows/execution_from_unusual_directory.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/30"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/31"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Execution from an Unusual Directory"
+note = """## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 risk_score = 47
 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f"
 severity = "medium"