Merge branch '7.9' into main

2020-08-03 14:03:15 -06:00
parent 83e33e70bb 7efe33e01d
commit a99b7c96fe
79 changed files with 157 additions and 154 deletions
@@ -37,7 +37,7 @@ class SeverityMapping(jsl.Document):


 class ThresholdMapping(jsl.Document):
-    field = jsl.StringField(required=False)
+    field = jsl.StringField(required=True, default="")
    value = jsl.IntField(minimum=1, required=True)


@@ -48,4 +48,5 @@ name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"

 [rule.threshold]
+field = ""
 value = 25
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    troubleshooting.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Network Sniffing via Tcpdump"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/24"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/07/01"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to
 receive or send network traffic.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Attempt to Disable IPTables or Firewall"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
 detection by security controls.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Attempt to Disable Syslog Service"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Base16 or Base32 Encoding/Decoding Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Base64 Encoding/Decoding Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/05/04"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic
 investigations.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
 name = "Deletion of Bash Command Line History"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/22"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic
 support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
 activities.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Potential Disabling of SELinux"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Malware or other files dropped or created on a system by an adversary may leave
 a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or
 remove them at the end as part of the post-intrusion cleanup process.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "File Deletion via Shred"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/21"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    by username.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "File Permission Modification in Writable Directory"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ false_positives = [
    filtered by the process executable or username values.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Hex Encoding/Decoding Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/29"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    behavior. These events can be filtered by the process arguments, username, or process name values.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
 max_signals = 33
@@ -2,7 +2,7 @@
 creation_date = "2020/04/24"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    Note that some Linux distributions are not built to support the removal of modules at all.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Kernel Module Removal"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    by ordinary users is uncommon. These can be exempted by process name or username.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Enumeration of Kernel Modules"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    process arguments to eliminate potential noise.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Virtual Machine Fingerprinting"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    automation tools and frameworks.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "User Discovery via Whoami"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Interactive Terminal Spawned via Perl"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/15"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Interactive Terminal Spawned via Python"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
    suspicious.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Connection to External Network via Telnet"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
    suspicious.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Connection to Internal Network via Telnet"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    uncommon.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Hping Process Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    uncommon.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Potential DNS Tunneling via Iodine"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Mknod Process Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
    originate from scripts, automation tools, and frameworks.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Netcat Network Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
    uncommon.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Nmap Process Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Nping Process Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ false_positives = [
    username.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Unusual Process Execution - Temp"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
    more likely to be suspicious.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Socat Process Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    originate from developers or SREs engaged in debugging or system call tracing.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Strace Process Activity"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ false_positives = [
    programs by ordinary users is uncommon.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Persistence via Kernel Module Modification"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ false_positives = [
    behavior.
    """,
 ]
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Potential Shell via Web Server"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ group. An adversary can take advantage of this to either do a shell escape or ex
 with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
 max_signals = 33
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ user. An adversary can take advantage of this to either do a shell escape or exp
 with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
 max_signals = 33
@@ -2,7 +2,7 @@
 creation_date = "2020/04/13"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/25"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
 advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
 """
-index = ["auditbeat-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Sudoers File Modification"
@@ -32,6 +32,7 @@ event.kind:alert and event.module:(endpoint and not endgame)

 [[rule.exceptions_list]]
 id = "endpoint_list"
+list_id = "endpoint_list"
 namespace_type = "agnostic"
 type = "endpoint"

@@ -7,10 +7,10 @@ updated_date = "2020/07/08"
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert for each external alert written to the configured indices. Enabling
-this rule allows you to immediately begin investigating external alerts in the app.
+Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to
+immediately begin investigating external alerts in the app.
 """
-index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
+index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
 language = "kuery"
 license = "Elastic License"
 max_signals = 10000
@@ -57,3 +57,4 @@ operator = "equals"
 value = "99"
 severity = "critical"

+
@@ -2,7 +2,7 @@
 creation_date = "2020/03/19"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or
 malware, from a remote URL.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Network Connection via Certutil"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin
 credential management. This technique is sometimes used for credential dumping.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Microsoft Build Engine Loading Windows Credential Libraries"
@@ -2,12 +2,12 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
 description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection."
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Adding Hidden File Attribute via Attrib"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection
 or destroy forensic evidence on a system.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Clearing Windows Event Logs"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence
 of files created during post-exploitation activities.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Delete Volume USN Journal with Fsutil"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent
 system recovery.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Deleting Backup Catalogs with Wbadmin"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to
 disable the firewall during troubleshooting or to enable network mobility.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Disable Windows Firewall Rules via Netsh"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the use of certutil.exe to encode or decode data. CertUtil is a nativ
 Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and
 control or exfiltration.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Encoding or Decoding Files via CertUtil"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    this program to be started by an Office application like Word or Excel.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Microsoft Build Engine Started by an Office Application"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t
 behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Microsoft Build Engine Started by a Script Process"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or t
 Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Microsoft Build Engine Started by a System Process"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena
 indicate an attempt to run unnoticed or undetected.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Microsoft Build Engine Using an Alternate Name"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    triggers this rule it can be exempted by process, user or host name.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Microsoft Build Engine Started an Unusual Process"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Binaries signed with trusted digital certificates can execute on Windows systems
 validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass
 application allowlists and signature validation.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Network Connection via Signed Binary"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/16"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an
 attacker as a destructive technique.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Modification of Boot Configuration"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or
 other destructive attacks.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Volume Shadow Copy Deletion via VssAdmin"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or
 other destructive attacks.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Volume Shadow Copy Deletion via WMIC"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It
 is used in command line operations for control of users, groups, services, and network connections.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Net command via SYSTEM account"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    environment for network connections being made from the command prompt to determine any abnormal use of this tool.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Command Prompt Network Connection"
@@ -2,12 +2,12 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe."
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "PowerShell spawning Cmd"
@@ -2,12 +2,12 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Svchost spawning Cmd"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTM
 malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable
 program (hh.exe).
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Network Connection via Compiled HTML File"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
 lateral movement but will be noisy if commonly done by admins.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Local Service Commands"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often
 leveraged by adversaries to execute code and evade detection.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "MsBuild Making Network Connections"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged
 by adversaries to execute malicious scripts and evade detection.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Network Connection via Mshta"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged
 by adversaries to execute malicious scripts and evade detection.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Network Connection via MsXsl"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    environment to determine the amount of noise to expect from this tool.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "PsExec Network Connection"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    is unusual.
    """,
 ]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Network Connection via Regsvr"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes
 executing a PowerShell script, may be indicative of malicious activity.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Windows Script Executing PowerShell"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies suspicious child processes of frequently targeted Microsoft Office ap
 These child processes are often launched during exploitation of Office applications or from documents with malicious
 macros.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Suspicious MS Office Child Process"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear
 phishing activity.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Suspicious MS Outlook Child Process"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/30"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies suspicious child processes of PDF reader applications. These child processes are often launched via
 exploitation of PDF applications or social engineering.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Suspicious PDF Reader Child Process"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity
 and may identify malicious DLLs.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Unusual Network Connection via RunDLL32"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies network activity from unexpected system applications. This may indicate adversarial activity as these
 applications are often leveraged by adversaries to execute code and evade detection.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Unusual Process Network Connection"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r
 (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows
 utility.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Execution via Regsvcs/Regasm"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ over Server Message Block (SMB), which communicates between hosts using port 445
 connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or
 suspicious user-level processes moving laterally.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Direct Outbound SMB Connection"
@@ -2,12 +2,12 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
 description = "Detects writing executable files that will be automatically launched by Adobe on launch."
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Adobe Hijack Persistence"
@@ -2,13 +2,13 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
 description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges."
 false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Local Scheduled Task Commands"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration
 testers may run a shell as a service to gain SYSTEM permissions.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "System Shells via Services"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or
 domain.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "User Account Creation"
@@ -2,7 +2,7 @@
 creation_date = "2020/03/17"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with
 elevated permissions.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Bypass UAC via Event Viewer"
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.5.0"]
 maturity = "production"
-updated_date = "2020/06/24"
+updated_date = "2020/08/03"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange
 activity on a system.
 """
-index = ["winlogbeat-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Unusual Parent-Child Relationship"