diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 9dbe6ea18..3a9405100 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/21" integration = ["endpoint", "windows"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/28" [rule] author = ["Elastic"] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index 1e1a7b527..90e465b33 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/03/25" integration = ["endpoint", "windows"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 2e19f7546..d1d9311a1 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 83b9dd436..c1accd7d8 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index c6e122001..d08e24720 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/12" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 3c28c1d18..7e89556a9 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index b0ce9e211..6e8c81179 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index bf6cba3bc..cd618e1b0 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index 1def216d6..a00065428 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index eb1c069f0..3d5a827c1 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 41bd37d20..297d75438 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,7 +2,9 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index 1f7178080..409b70d35 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,9 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/09" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 3b6b8673f..544479e0c 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 03a0f56c4..e87ba7dc1 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 525855cb6..4f7d07531 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index faac39910..b5353cf14 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 801b74645..9a743631e 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index ea39ef5da..c376b490b 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 1e24dacaf..f2e118fe2 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index e7be3dd4e..65831163c 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 510c8d2c0..373f75f2a 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 08dc30eba..82d995885 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index ed8ffb8d2..c9893d590 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 7b152155c..157283aef 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 09965632f..17c7835fb 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index e02900260..5f4a892c4 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 8f9d32fbf..c5462af0a 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 254454f01..bb5c221ef 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 02ab47c82..0e0e29868 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 7ee9ef5c1..1f9628511 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/09/30" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 9bbb2709f..d4bcbc349 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 48ed684c2..6a1bc0512 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 3710498c6..a526da2b5 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,9 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2024/07/03" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 112011fec..9d74159fa 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 717838974..d445261d7 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 2e8154ae1..01d1b4681 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 7055e324d..f712d8430 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/08/26" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index cb7d95b46..36edde841 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index b4c00d88b..40c31c3be 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 75b315e2b..9bf1665b1 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 579739d59..03f85f3d9 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index fa2f38e79..f3f0d9943 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 657be1416..4d605159c 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,9 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index fd67fe3f8..f7f1fab03 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 9b6b1b7ea..f73fa9494 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/03" integration = ["endpoint", "windows", "system"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/09/28" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index 6e164d60e..288d91f4f 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/03/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index bb8b826cb..b8afff146 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 525b66d0c..943a4663f 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 350dda439..7ec546f3a 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 584f1c762..316984f9d 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/04" integration = ["system", "windows"] maturity = "development" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Skoetting"] diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 34550b651..2595cb73e 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 67a166024..77e4e70c5 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index e27d5ab42..5e72db6df 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 59416adb2..f43288f06 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index f39bae276..1eed992f9 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,8 +2,10 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index b7e1e6414..37b12767e 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -2,8 +2,10 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index cd733c9fa..d58b327e2 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -2,8 +2,10 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 405a7a666..1ab4424ae 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"]