[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)

* [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py
2022-11-18 07:32:27 -08:00
parent 6055d0db60
commit ac01718bb6
180 changed files with 192 additions and 194 deletions
@@ -67,7 +67,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
 severity = "medium"
-tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -68,7 +68,7 @@ references = [
 risk_score = 73
 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -68,7 +68,7 @@ references = [
 risk_score = 47
 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -73,7 +73,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat
 risk_score = 47
 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact", "Investigation Guide"]
 timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
 timeline_title = "Comprehensive File Timeline"
 timestamp_override = "event.ingested"
@@ -62,7 +62,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-
 risk_score = 99
 rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43"
 severity = "critical"
-tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
+tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
 type = "threat_match"
@@ -62,7 +62,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-
 risk_score = 99
 rule_id = "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0"
 severity = "critical"
-tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
+tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
 type = "threat_match"
@@ -84,7 +84,7 @@ references = [
 risk_score = 47
 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 type = "threshold"

 query = '''
@@ -77,7 +77,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
 risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -90,7 +90,7 @@ references = [
 risk_score = 47
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -89,7 +89,7 @@ references = [
 risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -93,7 +93,7 @@ references = [
 risk_score = 47
 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -89,7 +89,7 @@ references = [
 risk_score = 47
 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -91,7 +91,7 @@ references = [
 risk_score = 21
 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -89,7 +89,7 @@ references = [
 risk_score = 73
 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
 severity = "high"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -90,7 +90,7 @@ references = [
 risk_score = 47
 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -89,7 +89,7 @@ references = [
 risk_score = 21
 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -94,7 +94,7 @@ references = [
 risk_score = 47
 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -93,7 +93,7 @@ references = [
 risk_score = 47
 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -85,7 +85,7 @@ references = [
 risk_score = 47
 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -72,7 +72,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 47
 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
 severity = "medium"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -89,7 +89,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-
 risk_score = 21
 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -101,6 +101,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"]
 type = "machine_learning"

@@ -104,6 +104,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"]
 type = "machine_learning"

@@ -106,6 +106,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"]
 type = "machine_learning"

@@ -106,6 +106,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"]
 type = "machine_learning"

@@ -104,6 +104,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"]
 type = "machine_learning"

@@ -81,7 +81,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
 risk_score = 73
 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
 severity = "high"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -84,7 +84,7 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-
 risk_score = 21
 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
 severity = "low"
-tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -87,7 +87,7 @@ references = [
 risk_score = 21
 rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50"
 severity = "low"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -80,7 +80,7 @@ references = [
 risk_score = 73
 rule_id = "37994bca-0611-4500-ab67-5588afe73b77"
 severity = "high"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -76,7 +76,7 @@ references = [
 risk_score = 47
 rule_id = "26edba02-6979-4bce-920a-70b080a7be81"
 severity = "medium"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -84,7 +84,7 @@ references = [
 risk_score = 21
 rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97"
 severity = "low"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -87,7 +87,7 @@ references = [
 risk_score = 47
 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38"
 severity = "medium"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -79,7 +79,7 @@ references = [
 risk_score = 47
 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80"
 severity = "medium"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -73,7 +73,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re
 risk_score = 47
 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf"
 severity = "medium"
-tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"]
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -91,7 +91,7 @@ risk_score = 47
 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1"
 severity = "medium"
 tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps",
-"Configuration Audit", "Impact", "has_guide"]
+"Configuration Audit", "Impact", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -86,7 +86,7 @@ references = [
 risk_score = 47
 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -88,7 +88,7 @@ references = [
 risk_score = 47
 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -33,7 +33,7 @@ references = [
 risk_score = 47
 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -62,7 +62,7 @@ mean time to respond (MTTR).
 risk_score = 47
 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation Guide"]
 type = "threshold"

 query = '''
@@ -77,7 +77,7 @@ references = [
 risk_score = 47
 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "has_guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -63,7 +63,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "Investigation Guide"]
 type = "machine_learning"

 [[rule.threat]]
@@ -78,7 +78,7 @@ references = [
 risk_score = 47
 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -85,7 +85,7 @@ references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfilt
 risk_score = 47
 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -88,7 +88,7 @@ references = [
 risk_score = 73
 rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -84,7 +84,7 @@ references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphi
 risk_score = 47
 rule_id = "959a7353-1129-4aa7-9084-30746b256a70"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -66,7 +66,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba
 risk_score = 47
 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -84,7 +84,7 @@ references = [
 risk_score = 21
 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -81,7 +81,7 @@ mean time to respond (MTTR).
 risk_score = 21
 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -64,7 +64,7 @@ references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-ove
 risk_score = 47
 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"]
 type = "threshold"

 query = '''
@@ -79,7 +79,7 @@ references = [
 risk_score = 47
 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -69,7 +69,7 @@ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunn
 risk_score = 73
 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -91,7 +91,7 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native
 risk_score = 47
 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -87,7 +87,7 @@ references = [
 risk_score = 47
 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -81,7 +81,7 @@ mean time to respond (MTTR).
 risk_score = 47
 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -80,7 +80,7 @@ mean time to respond (MTTR).
 risk_score = 47
 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -87,7 +87,7 @@ references = [
 risk_score = 73
 rule_id = "22599847-5d13-48cb-8872-5796fee8692b"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -85,7 +85,7 @@ references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.ht
 risk_score = 47
 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -70,7 +70,7 @@ references = ["https://lolbas-project.github.io/"]
 risk_score = 73
 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -89,7 +89,7 @@ mean time to respond (MTTR).
 risk_score = 73
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -105,7 +105,7 @@ references = [
 risk_score = 73
 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -79,7 +79,7 @@ references = [
 risk_score = 47
 rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -72,7 +72,7 @@ references = [
 risk_score = 73
 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -93,7 +93,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -3,7 +3,7 @@ creation_date = "2022/06/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/10/11"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-p
 risk_score = 73
 rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -119,7 +119,7 @@ references = [
 risk_score = 73
 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -76,7 +76,7 @@ references = [
 risk_score = 73
 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -104,7 +104,7 @@ references = [
 risk_score = 73
 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -88,7 +88,7 @@ references = [
 risk_score = 73
 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -67,7 +67,7 @@ references = [
 risk_score = 47
 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -88,7 +88,7 @@ references = [
 risk_score = 73
 rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -86,7 +86,7 @@ references = [
 risk_score = 47
 rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -3,7 +3,7 @@ creation_date = "2021/09/27"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/10/11"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = ["https://github.com/CCob/MirrorDump"]
 risk_score = 47
 rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -74,7 +74,7 @@ references = [
 risk_score = 73
 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -90,7 +90,7 @@ references = [
 risk_score = 73
 rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -101,7 +101,7 @@ references = [
 risk_score = 73
 rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/17"
-updated_date = "2022/08/24"
+updated_date = "2022/10/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
@@ -26,7 +26,7 @@ references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com
 risk_score = 73
 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
 type = "eql"

 query = '''
@@ -27,7 +27,7 @@ references = [
 risk_score = 73
 rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/14"
-updated_date = "2022/08/24"
+updated_date = "2022/10/11"
 maturity = "production"
 min_stack_version = "8.3.0"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
@@ -29,7 +29,7 @@ references = [
 risk_score = 73
 rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
 timestamp_override = "event.ingested"
 type = "threshold"

@@ -94,7 +94,7 @@ references = [
 risk_score = 47
 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"]
 type = "eql"

 query = '''
@@ -95,7 +95,7 @@ references = [
 risk_score = 47
 rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/11/27"
-updated_date = "2022/08/24"
+updated_date = "2022/10/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
@@ -30,7 +30,7 @@ references = [
 risk_score = 73
 rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -85,7 +85,7 @@ references = [
 risk_score = 73
 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -68,7 +68,7 @@ references = [
 risk_score = 47
 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -57,7 +57,7 @@ mean time to respond (MTTR).
 risk_score = 21
 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -86,7 +86,7 @@ references = [
 risk_score = 21
 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -70,7 +70,7 @@ references = ["https://thedfirreport.com/2020/12/13/defender-control/"]
 risk_score = 21
 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -81,7 +81,7 @@ references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitd
 risk_score = 47
 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -88,7 +88,7 @@ references = [
 risk_score = 47
 rule_id = "818e23e6-2094-4f0e-8c01-22d30f3506c6"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -57,7 +57,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -71,7 +71,7 @@ references = [
 risk_score = 47
 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -64,7 +64,7 @@ references = [
 risk_score = 21
 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -94,7 +94,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m
 risk_score = 73
 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/10/11"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ name = "Process Injection by the Microsoft Build Engine"
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Sysmon Only"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -81,7 +81,7 @@ references = [
 risk_score = 47
 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -87,7 +87,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -111,7 +111,7 @@ references = [
 risk_score = 73
 rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "query"

--- a/Show More
+++ b/Show More