[Rule Tuning] Update event.code to category (#349)

rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:(MSBuild.exe or msxsl.exe)
+event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)
 '''
 
 

rules/windows/defense_evasion_via_filter_manager.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:fltMC.exe
+event.category:process and event.type:(start or process_started) and process.name:fltMC.exe
 '''
 
 

rules/windows/discovery_process_discovery_via_tasklist_command.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:tasklist.exe
+event.category:process and event.type:(start or process_started) and process.name:tasklist.exe
 '''
 
 

rules/windows/discovery_whoami_command_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-process.name:whoami.exe and event.code:1
+event.category:process and event.type:(start or process_started) and process.name:whoami.exe
 '''
 
 

rules/windows/execution_via_compiled_html_file.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:hh.exe
+event.category:process and event.type:(start or process_started) and process.name:hh.exe
 '''
 
 

rules/windows/persistence_priv_escalation_via_accessibility_features.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/12"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)
+event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)
 '''
 
 

rules/windows/persistence_via_application_shimming.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:sdbinst.exe
+event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe
 '''