From 7b74244afb7c1dc81bc57d326e4d31d19bdfc3ad Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 23 Oct 2023 14:56:03 -0300
Subject: [PATCH] [Promote] Potential Masquerading as Communication Apps
 (#3181)

* [Promote] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 6fcf26b20e927678be1545818cb54d7bff032abf)
---
 .../defense_evasion_masquerading_communication_apps.toml  | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
 rename {rules_building_block => rules/windows}/defense_evasion_masquerading_communication_apps.toml (95%)

diff --git a/rules_building_block/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml
similarity index 95%
rename from rules_building_block/defense_evasion_masquerading_communication_apps.toml
rename to rules/windows/defense_evasion_masquerading_communication_apps.toml
index fe0a3313f..aac5dce5c 100644
--- a/rules_building_block/defense_evasion_masquerading_communication_apps.toml
+++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml
@@ -5,7 +5,6 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2023/10/13"
-bypass_bbr_timing = true
 
 [rule]
 author = ["Elastic"]
@@ -18,12 +17,11 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Masquerading as Communication Apps"
-risk_score = 21
+risk_score = 47
 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
-severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"]
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''