security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Minstack version for windows integration (#4214)

Browse Source
This commit is contained in:
shashank-elastic
2024-10-28 19:28:10 +05:30
committed by GitHub
parent 9e4fce6586
commit 92fe46b8ff
58 changed files with 174 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
+3 -1
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/12/21"
integration = ["endpoint", "windows"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/05/28"
[rule]
author = ["Elastic"]
rules/ml/persistence_ml_windows_anomalous_process_creation.toml
+3 -1
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2024/06/18"
updated_date = "2024/10/28"
[transform]
[[transform.osquery]]
rules/windows/collection_mailbox_export_winlog.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2023/01/11"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/03/12"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules/windows/collection_posh_audio_capture.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/10/19"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/collection_posh_clipboard_capture.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2023/01/12"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/03/12"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules/windows/collection_posh_keylogger.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/10/15"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/collection_posh_mailbox.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/01/11"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/collection_posh_screen_grabber.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/10/19"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/collection_posh_webcam_video_capture.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/07/18"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/04/03"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_dcsync_newterm_subjectuser.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/12/19"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_dcsync_user_backdoor.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/07/10"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/09"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_disable_kerberos_preauth.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/01/24"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_mimikatz_powershell_module.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/12/07"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_posh_invoke_ninjacopy.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/01/23"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_posh_kerb_ticket_dump.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/07/26"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_posh_minidump.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/10/05"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_posh_relay_tools.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/03/27"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_posh_request_ticket.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/01/24"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_posh_veeam_sql.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/03/14"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/01/27"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_shadow_credentials.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/01/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_spn_attribute_modified.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/02/22"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/10/14"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/defense_evasion_amsi_bypass_powershell.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/01/17"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[transform]
[[transform.osquery]]
rules/windows/defense_evasion_clearing_windows_security_logs.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/11/12"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic", "Anabella Cristaldi"]
rules/windows/defense_evasion_cve_2020_0601.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/19"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/defense_evasion_posh_assembly_load.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2021/10/15"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/09/30"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[transform]
[[transform.osquery]]
rules/windows/defense_evasion_posh_compressed.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2021/10/19"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/07/17"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[transform]
[[transform.osquery]]
rules/windows/defense_evasion_posh_encryption.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/01/23"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/defense_evasion_posh_obfuscation.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/07/03"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/03"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/defense_evasion_posh_process_injection.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/10/14"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/discovery_posh_invoke_sharefinder.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/08/17"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/discovery_posh_suspicious_api_functions.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2021/10/13"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/07/17"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules/windows/discovery_privileged_localgroup_membership.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2020/10/15"
integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/08/26"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[transform]
[[transform.osquery]]
rules/windows/execution_command_shell_started_by_svchost.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/10"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[transform]
[[transform.osquery]]
rules/windows/execution_posh_hacktool_authors.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/05/08"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/execution_posh_hacktool_functions.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2023/01/17"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/03/12"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[transform]
[[transform.osquery]]
rules/windows/execution_posh_portable_executable.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/10/15"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[transform]
[[transform.osquery]]
rules/windows/execution_posh_psreflect.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2021/10/15"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/07/17"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[transform]
[[transform.osquery]]
rules/windows/exfiltration_smb_rare_destination.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/12/04"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/10"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/impact_high_freq_file_renames_by_kernel.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/05/03"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/10"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/impact_stop_process_service_threshold.toml
+3 -1
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/12/03"
integration = ["endpoint", "windows", "system"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/09/28"
[rule]
author = ["Elastic"]
rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
+3 -1
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/03/16"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2024/10/10"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules/windows/lateral_movement_alternate_creds_pth.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/03/29"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/persistence_ad_adminsdholder.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/01/31"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/persistence_dontexpirepasswd_account.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/02/22"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/persistence_user_account_creation_event_logs.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/01/04"
integration = ["system", "windows"]
maturity = "development"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Skoetting"]
rules/windows/privilege_escalation_credroaming_ldap.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/11/09"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/11/15"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules/windows/privilege_escalation_posh_token_impersonation.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2022/08/17"
integration = ["windows"]
maturity = "production"
updated_date = "2024/07/17"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[transform]
[[transform.osquery]]
rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2020/08/14"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/10"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml
+3 -1
View File
@@ -2,8 +2,10 @@
bypass_bbr_timing = true
creation_date = "2020/08/18"
integration = ["endpoint", "windows", "system"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules_building_block/discovery_remote_system_discovery_commands_windows.toml
+3 -1
View File
@@ -2,8 +2,10 @@
bypass_bbr_timing = true
creation_date = "2020/12/04"
integration = ["endpoint", "windows"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules_building_block/discovery_system_time_discovery.toml
+3 -1
View File
@@ -2,8 +2,10 @@
bypass_bbr_timing = true
creation_date = "2023/01/24"
integration = ["windows", "endpoint", "system"]
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
rules_building_block/lateral_movement_posh_winrm_activity.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2023/07/12"
integration = ["windows"]
maturity = "production"
min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
min_stack_version = "8.12.0"
updated_date = "2024/03/12"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]