[FR] Minor Typo Fixes (#5784)

CONTRIBUTING.md

@@ -66,7 +66,7 @@ We'll tag issues and pull requests with the target release if applicable. If a r
 
 Of course, feel free to bump your issues if you think they've been neglected for a prolonged period.
 
-Issues and pull requests will be marked as `stale` after 60 days of inactivity. After 7 more days of incactivity, they will be closed automatically.
+Issues and pull requests will be marked as `stale` after 60 days of inactivity. After 7 more days of inactivity, they will be closed automatically.
 
 If an issue or pull request is marked `stale` and/or closed, this does not mean it is not important, just that there may be more work than available resources over a given time. We feel that it is a better experience to generate activity responding to a stale issue or letting it close, than to let something remain open and neglected for longer periods of time.
 

hunting/index.md

@@ -121,7 +121,7 @@ Here are the queries currently available:
 - [Multiple Application SSO Authentication from the Same Source](./okta/docs/defense_evasion_multiple_application_sso_authentication_repeat_source.md) (ES|QL)
 - [OAuth Access Token Granted for Public Client App from Multiple Client Addresses](./okta/docs/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.md) (ES|QL)
 - [Password Spraying from Repeat Source](./okta/docs/initial_access_password_spraying_from_repeat_source.md) (ES|QL)
-- [Rapid MFA Deny Push Notifications (MFA Bombing)](./okta/docs/credential_access_mfa_bombing_push_notications.md) (ES|QL)
+- [Rapid MFA Deny Push Notifications (MFA Bombing)](./okta/docs/credential_access_mfa_bombing_push_notifications.md) (ES|QL)
 - [Rapid Reset Password Requests for Different Users](./okta/docs/credential_access_rapid_reset_password_requests_for_different_users.md) (ES|QL)
 - [Rare Occurrence of Domain with User Authentication Events](./okta/docs/persistence_rare_domain_with_user_authentication.md) (ES|QL)
 - [Rare Occurrence of OAuth Access Token Granted to Public Client App](./okta/docs/defense_evasion_rare_oauth_access_token_granted_by_application.md) (ES|QL)
@@ -130,7 +130,7 @@ Here are the queries currently available:
 
 ## windows
 - [DLL Hijack via Masquerading as Microsoft Native Libraries](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md) (ES|QL)
-- [DNS Queries via LOLBins with Low Occurence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL)
+- [DNS Queries via LOLBins with Low Occurrence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.md) (ES|QL)
 - [Egress Network Connections with Total Bytes Greater than Threshold](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL)
 - [Excessive RDP Network Activity by Host and User](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md) (ES|QL)
 - [Excessive SMB Network Activity by Process ID](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL)

hunting/index.yml

@@ -358,7 +358,7 @@ okta:
     - T1078.004
   223451b0-6eca-11ef-a070-f661ea17fbcc:
     name: Rapid MFA Deny Push Notifications (MFA Bombing)
-    path: ./okta/queries/credential_access_mfa_bombing_push_notications.toml
+    path: ./okta/queries/credential_access_mfa_bombing_push_notifications.toml
     mitre:
     - T1621
   11666aa0-71d9-11ef-a9be-f661ea17fbcc:
@@ -592,7 +592,7 @@ windows:
     - T1047
   1c7be6db-12eb-4281-878d-b6abe0454f36:
     name: DNS Queries via LOLBins with Low Occurence Frequency
-    path: ./windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml
+    path: ./windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml
     mitre:
     - T1071
   386f9cec-bb44-4dd2-8368-45e6fa0a425b:

hunting/okta/docs/credential_access_mfa_bombing_push_notifications.md

@@ -10,7 +10,7 @@
 - **UUID:** `223451b0-6eca-11ef-a070-f661ea17fbcc`
 - **Integration:** [okta](https://docs.elastic.co/integrations/okta)
 - **Language:** `[ES|QL]`
-- **Source File:** [Rapid MFA Deny Push Notifications (MFA Bombing)](../queries/credential_access_mfa_bombing_push_notications.toml)
+- **Source File:** [Rapid MFA Deny Push Notifications (MFA Bombing)](../queries/credential_access_mfa_bombing_push_notifications.toml)
 
 ## Query
 

hunting/okta/queries/credential_access_mfa_bombing_push_notifications.toml

@@ -31,4 +31,4 @@ from logs-okta*
 // Filter for users with more than 5 MFA deny push notifications
 | where deny_push_count >= 5
 """
-]
+]

hunting/windows/docs/detect_rare_lsass_process_access_attempts.md

@@ -5,7 +5,7 @@
 ## Metadata
 
 - **Author:** Elastic
-- **Description:** This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS.
+- **Description:** This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurrences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS.
 
 - **UUID:** `d0aed6f5-f84c-4da8-bb2a-b5ca0fbb55e0`
 - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows)
@@ -22,8 +22,8 @@ from logs-endpoint.events.api*
 | keep process.executable.caseless, host.id
  /* normalize process paths to reduce known random patterns in process.executable */
 | eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
-| stats occurences = count(process), agents = count_distinct(host.id) by process
+| stats occurrences = count(process), agents = count_distinct(host.id) by process
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 ```
 
 ```sql
@@ -35,8 +35,8 @@ from logs-windows.sysmon_operational-*
  /* normalize process paths to reduce known random patterns in process.executable */
 | eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
 | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\")
-| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path
+| stats occurrences = count(process_path), agents = count_distinct(host.id) by process_path
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 ```
 
 ## Notes

hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.md

@@ -1,4 +1,4 @@
-# DNS Queries via LOLBins with Low Occurence Frequency
+# DNS Queries via LOLBins with Low Occurrence Frequency
 
 ---
 
@@ -10,7 +10,7 @@
 - **UUID:** `1c7be6db-12eb-4281-878d-b6abe0454f36`
 - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows)
 - **Language:** `[ES|QL]`
-- **Source File:** [DNS Queries via LOLBins with Low Occurence Frequency](../queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml)
+- **Source File:** [DNS Queries via LOLBins with Low Occurrence Frequency](../queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml)
 
 ## Query
 

hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md

@@ -22,8 +22,8 @@ from logs-endpoint.events.file-*
   starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and
   starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe"""
 | keep process.executable, host.id
-| stats occurences = count(*), agents = count_distinct(host.id) by process.executable
+| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 ```
 
 ```sql
@@ -32,8 +32,8 @@ from logs-windows.sysmon_operational-*
 | where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and
  file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe"""
 | keep process.executable, host.id
-| stats occurences = count(*), agents = count_distinct(host.id) by process.executable
+| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 ```
 
 ## Notes

hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml

@@ -1,7 +1,7 @@
 [hunt]
 author = "Elastic"
 description = """
-This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS.
+This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurrences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS.
 """
 integration = ["endpoint", "windows"]
 uuid = "d0aed6f5-f84c-4da8-bb2a-b5ca0fbb55e0"
@@ -17,8 +17,8 @@ from logs-endpoint.events.api*
 | keep process.executable.caseless, host.id
  /* normalize process paths to reduce known random patterns in process.executable */
 | eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
-| stats occurences = count(process), agents = count_distinct(host.id) by process
+| stats occurrences = count(process), agents = count_distinct(host.id) by process
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 ''',
 '''
 from logs-windows.sysmon_operational-*
@@ -29,8 +29,8 @@ from logs-windows.sysmon_operational-*
  /* normalize process paths to reduce known random patterns in process.executable */
 | eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
 | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\")
-| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path
+| stats occurrences = count(process_path), agents = count_distinct(host.id) by process_path
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 '''
 ]
 notes = [

hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml

@@ -5,7 +5,7 @@ This hunt looks for DNS queries performed by commonly abused Microsoft binaries
 """
 integration = ["endpoint", "windows"]
 uuid = "1c7be6db-12eb-4281-878d-b6abe0454f36"
-name = "DNS Queries via LOLBins with Low Occurence Frequency"
+name = "DNS Queries via LOLBins with Low Occurrence Frequency"
 language = ["ES|QL"]
 license = "Elastic License v2"
 notes = [
@@ -23,4 +23,4 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-*
 | stats occurrences = count(*), hosts = count_distinct(host.id) by process.name, dns.question.name
 | where hosts == 1
 ''',
-]
+]

hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml

@@ -24,8 +24,8 @@ from logs-endpoint.events.file-*
   starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and
   starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe"""
 | keep process.executable, host.id
-| stats occurences = count(*), agents = count_distinct(host.id) by process.executable
+| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 ''',
 '''
 from logs-windows.sysmon_operational-*
@@ -33,7 +33,7 @@ from logs-windows.sysmon_operational-*
 | where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and
  file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe"""
 | keep process.executable, host.id
-| stats occurences = count(*), agents = count_distinct(host.id) by process.executable
+| stats occurrences = count(*), agents = count_distinct(host.id) by process.executable
-| where agents == 1 and occurences <= 10
+| where agents == 1 and occurrences <= 10
 '''
 ]

rules/README.md

@@ -27,5 +27,5 @@ Integration specific rules are stored in the [`integrations/`](integrations) dir
 | [`gcp/`](integrations/gcp)                             | Google Cloud Platform (GCP)          |
 | [`google_workspace/`](integrations/google_workspace)   | Google Workspace (formerly GSuite)   |
 | [`o365/`](integrations/o365)                           | Microsoft Office                     |
-| [`okta/`](integrations/okta)                           | Oka                                  |
+| [`okta/`](integrations/okta)                           | Okta                                 |
 

rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml

@@ -2,14 +2,14 @@
 creation_date = "2022/01/10"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2026/02/25"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers
+Identifies the occurrence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers
 can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access.
-Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain
+Users can inadvertently share these files without knowing their maliciousness, giving adversaries an opportunity to gain
 initial access to other endpoints in the environment.
 """
 false_positives = ["Benign files can trigger signatures in the built-in virus protection"]

rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml

@@ -2,12 +2,12 @@
 creation_date = "2022/01/10"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2026/02/25"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine.
+Identifies the occurrence of files uploaded to SharePoint being detected as Malware by the file scanning engine.
 Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their
 access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities
 to gain initial access to other endpoints in the environment.

rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/21"
 integration = ["endpoint", "m365_defender"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2026/02/25"
 
 [rule]
 author = ["Elastic"]
@@ -125,4 +125,3 @@ reference = "https://attack.mitre.org/techniques/T1547/012/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-

tests/test_all_rules.py

@@ -793,7 +793,7 @@ class TestRuleMetadata(BaseRuleTest):
 
         # If the output is not empty, then file(s) have changed in the directory(s)
         if result:
-            modified_rules = result.splitlines()
+            modified_rules = [path for path in result.splitlines() if path.endswith(".toml")]
             failed_rules = []
             for modified_rule_path in modified_rules:
                 diff_output = detection_rules_git("diff", "origin/main", modified_rule_path)