diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 0b0e20158..49031193b 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -67,7 +67,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index fe9b28246..500d02433 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -68,7 +68,7 @@ references = [ risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" severity = "high" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index e1dd12302..2da899698 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -68,7 +68,7 @@ references = [ risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 0cdd27dd4..162a5eb1f 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -73,7 +73,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat risk_score = 47 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact", "Investigation Guide"] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml index 92a56f636..ef97bbd3f 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/cross-platform/threat_intel_filebeat8x.toml @@ -62,7 +62,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat- risk_score = 99 rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43" severity = "critical" -tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"] +tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" type = "threat_match" diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml index de4424e05..6efa98f29 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/cross-platform/threat_intel_fleet_integrations.toml @@ -62,7 +62,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat- risk_score = 99 rule_id = "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0" severity = "critical" -tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"] +tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" type = "threat_match" diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index b69910b13..1d296a24d 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -84,7 +84,7 @@ references = [ risk_score = 47 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] type = "threshold" query = ''' diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 25ddc7b3e..04e02ff49 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -77,7 +77,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index e35d636e4..c196aa384 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -90,7 +90,7 @@ references = [ risk_score = 47 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 2ed114081..c1a41d79d 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -89,7 +89,7 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index b50ea89ee..6919c1224 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -93,7 +93,7 @@ references = [ risk_score = 47 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 5ef149641..05454ee99 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -89,7 +89,7 @@ references = [ risk_score = 47 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 4083c75f2..0c25ef2f7 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -91,7 +91,7 @@ references = [ risk_score = 21 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 99062f7c0..83b3d6bcc 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -89,7 +89,7 @@ references = [ risk_score = 73 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" severity = "high" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 100f93a52..00f7d1428 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -90,7 +90,7 @@ references = [ risk_score = 47 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index b1105d301..138eea2cf 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -89,7 +89,7 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index e1dfff6ea..de1ad1161 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -94,7 +94,7 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 00ce218dd..804952765 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -93,7 +93,7 @@ references = [ risk_score = 47 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 719062c0a..6e4efb48a 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -85,7 +85,7 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 078a17aad..1dca14a27 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -72,7 +72,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 47 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index d84e1b93e..b67b067a0 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -89,7 +89,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm- risk_score = 21 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 140bb91ff..65225f55e 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -101,6 +101,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 58ff3fc80..96f8fa671 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -104,6 +104,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 8a7ccf01d..2dcf73ce0 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -106,6 +106,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 1e06aa1a4..79c920f4c 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -106,6 +106,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index dae0c9d2d..efba6bbd1 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -104,6 +104,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "ML", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "ML", "Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 344e89404..99db503f1 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -81,7 +81,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc" severity = "high" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index d3c198c99..fbbd8836f 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -84,7 +84,7 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in- risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 8f3194b7c..c1d10df75 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -87,7 +87,7 @@ references = [ risk_score = 21 rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index 2d2adca9c..09a4c24ba 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -80,7 +80,7 @@ references = [ risk_score = 73 rule_id = "37994bca-0611-4500-ab67-5588afe73b77" severity = "high" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 60b407442..5aadfd55d 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -76,7 +76,7 @@ references = [ risk_score = 47 rule_id = "26edba02-6979-4bce-920a-70b080a7be81" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index b47b15fe0..b3b16fa8a 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -84,7 +84,7 @@ references = [ risk_score = 21 rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 94b6c5d73..c0c40f030 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -87,7 +87,7 @@ references = [ risk_score = 47 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index afcf6974e..eddb6dcbf 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -79,7 +79,7 @@ references = [ risk_score = 47 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index a78ee9fbe..295644a6e 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -73,7 +73,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "has_guide"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 7dd90ef79..67e0f2259 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -91,7 +91,7 @@ risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" severity = "medium" tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", -"Configuration Audit", "Impact", "has_guide"] +"Configuration Audit", "Impact", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 272d9a7b5..bea42106a 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -86,7 +86,7 @@ references = [ risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "has_guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 3eec7dcae..419c9b6ec 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -88,7 +88,7 @@ references = [ risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/linux/execution_reverse_shell_via_named_pipe.toml b/rules/linux/execution_reverse_shell_via_named_pipe.toml index 002626d80..91d5e22fa 100644 --- a/rules/linux/execution_reverse_shell_via_named_pipe.toml +++ b/rules/linux/execution_reverse_shell_via_named_pipe.toml @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 97cf26bad..d40329c53 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -62,7 +62,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation Guide"] type = "threshold" query = ''' diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 670c3fd7d..373b42235 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -77,7 +77,7 @@ references = [ risk_score = 47 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index ec2e54dad..c124a25a8 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -63,7 +63,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Persistence", "Investigation Guide"] type = "machine_learning" [[rule.threat]] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index a2a67bc07..973fcc93b 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -78,7 +78,7 @@ references = [ risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 4a9200af2..1a77f4f75 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -85,7 +85,7 @@ references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfilt risk_score = 47 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 84f133a60..3d2e7861a 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -88,7 +88,7 @@ references = [ risk_score = 73 rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index 1b5dd0366..89ab9e083 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -84,7 +84,7 @@ references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphi risk_score = 47 rule_id = "959a7353-1129-4aa7-9084-30746b256a70" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 0462eff33..829f83b38 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -66,7 +66,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 20b0bce92..afb1960b4 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -84,7 +84,7 @@ references = [ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 0eb1e7618..c6eb6e0ca 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -81,7 +81,7 @@ mean time to respond (MTTR). risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index d5a779597..1220ef31e 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -64,7 +64,7 @@ references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-ove risk_score = 47 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] type = "threshold" query = ''' diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 5449602b5..bba53003d 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -79,7 +79,7 @@ references = [ risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index c58fbe76e..f68e344f1 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -69,7 +69,7 @@ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunn risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index b327edf90..72c7ff392 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -91,7 +91,7 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 90899135a..5acf76575 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -87,7 +87,7 @@ references = [ risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 8ad8d9e0f..8971101ab 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -81,7 +81,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 05ed8eda0..af35f754e 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -80,7 +80,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index a089c5915..4c51cfb7d 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -87,7 +87,7 @@ references = [ risk_score = 73 rule_id = "22599847-5d13-48cb-8872-5796fee8692b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 04428ab84..e9d7547a1 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -85,7 +85,7 @@ references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.ht risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 17753dea7..b5481cbd0 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -70,7 +70,7 @@ references = ["https://lolbas-project.github.io/"] risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 7bcd29d58..cca55d37f 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -89,7 +89,7 @@ mean time to respond (MTTR). risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index aed8018c8..9b9ffa76a 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -105,7 +105,7 @@ references = [ risk_score = 73 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 00408acfc..48ed8ec03 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -79,7 +79,7 @@ references = [ risk_score = 47 rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index a6093cab4..d0ce1c049 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -72,7 +72,7 @@ references = [ risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index b3101c739..f127fa85f 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -93,7 +93,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 78e3413da..0ed1d8b3f 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -3,7 +3,7 @@ creation_date = "2022/06/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/10/11" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-p risk_score = 73 rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 7fd43c4be..29af22fa1 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -119,7 +119,7 @@ references = [ risk_score = 73 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index f28d3f271..b2806be7e 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -76,7 +76,7 @@ references = [ risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 06bb5f665..3a9ade0a3 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -104,7 +104,7 @@ references = [ risk_score = 73 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 862c19cd7..e32a57d7a 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -88,7 +88,7 @@ references = [ risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 22defdc09..13d2e31ad 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -67,7 +67,7 @@ references = [ risk_score = 47 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index f8b832aea..d4ed4abcd 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -88,7 +88,7 @@ references = [ risk_score = 73 rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 167a97de7..57e5002c9 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -86,7 +86,7 @@ references = [ risk_score = 47 rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index db728f799..e158844f2 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -3,7 +3,7 @@ creation_date = "2021/09/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/10/11" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = ["https://github.com/CCob/MirrorDump"] risk_score = 47 rule_id = "02a4576a-7480-4284-9327-548a806b5e48" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index ab8409737..de97d9499 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -74,7 +74,7 @@ references = [ risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index c2662e992..db192996c 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -90,7 +90,7 @@ references = [ risk_score = 73 rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 3b7675f88..33dbfe218 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -101,7 +101,7 @@ references = [ risk_score = 73 rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 463542ea0..5e5ec86cf 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/10/17" -updated_date = "2022/08/24" +updated_date = "2022/10/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com risk_score = 73 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 62598030d..032f7fba3 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 50b5f1f2d..1a95db160 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/10/14" -updated_date = "2022/08/24" +updated_date = "2022/10/11" maturity = "production" min_stack_version = "8.3.0" min_stack_comments = "New fields added: required_fields, related_integrations, setup" @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 0a514de0f..4645bdcb7 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -94,7 +94,7 @@ references = [ risk_score = 47 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 4ea1d97b7..f918efca2 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -95,7 +95,7 @@ references = [ risk_score = 47 rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 5fc0013f1..dec36d942 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/11/27" -updated_date = "2022/08/24" +updated_date = "2022/10/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index fee6af99d..1fe7636b3 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -85,7 +85,7 @@ references = [ risk_score = 73 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 5b0971a49..cb70fa212 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -68,7 +68,7 @@ references = [ risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 4880ede76..0a7f9138c 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 940573fd4..00c8518eb 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -57,7 +57,7 @@ mean time to respond (MTTR). risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 3b6a9519d..72632b5ab 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -86,7 +86,7 @@ references = [ risk_score = 21 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 83d52fc6f..8647b40e5 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -70,7 +70,7 @@ references = ["https://thedfirreport.com/2020/12/13/defender-control/"] risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 722cd459b..cf592beb2 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -81,7 +81,7 @@ references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitd risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index dab175b7b..ca1481c63 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -88,7 +88,7 @@ references = [ risk_score = 47 rule_id = "818e23e6-2094-4f0e-8c01-22d30f3506c6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 0aeb1c3fc..d190a4691 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -57,7 +57,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 8f3fd0afb..e2cde02d7 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -71,7 +71,7 @@ references = [ risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index f3514aec5..534f26945 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -64,7 +64,7 @@ references = [ risk_score = 21 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 3846656c4..f6671987d 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 39e4c77c1..1ced78fe3 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index a27a4e0bb..1d267ac06 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -94,7 +94,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 190bd5a74..0306fa8f8 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/10/11" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Sysmon Only"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 04701087c..0330f9bd5 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -81,7 +81,7 @@ references = [ risk_score = 47 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 296d8bc6b..5fb3e0b78 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -87,7 +87,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index d9c104080..e7eba2eb4 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -111,7 +111,7 @@ references = [ risk_score = 73 rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 89cfb3cf6..632e21021 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -109,7 +109,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo risk_score = 47 rule_id = "81fe9dc6-a2d7-4192-a2d8-eed98afc766a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 50062e1c3..00e722d62 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -91,7 +91,7 @@ references = [ risk_score = 73 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index adbb129a0..94a72e0a2 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -76,7 +76,7 @@ references = [ risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index b63850fa5..aa24252c7 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -94,7 +94,7 @@ references = [ risk_score = 73 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index dc4100eb3..fdb1a71a6 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -56,7 +56,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Sysmon Only"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 9c3b18784..889acdd05 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -82,7 +82,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 11bd1cd34..7a5e0545e 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -93,7 +93,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index cb8eec300..cf0dabb8d 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 71388a612..ae415e282 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -52,7 +52,7 @@ mean time to respond (MTTR). risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 88f8906b2..8566611b5 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -69,7 +69,7 @@ references = [ risk_score = 47 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index faafba29d..b3735c640 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -78,7 +78,7 @@ references = [ risk_score = 21 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 019f70b8a..a412f5957 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -66,7 +66,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 6d38b4cf0..3844e7c56 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -64,7 +64,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 8c11eca6e..67dbc9a82 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -59,7 +59,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 5b5625c40..dcc6d7224 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -64,7 +64,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 558b69d08..295f61ab6 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -84,7 +84,7 @@ references = [ risk_score = 47 rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 138cc3dcc..2e8d82e33 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -85,7 +85,7 @@ references = [ risk_score = 47 rule_id = "61ac3638-40a3-44b2-855a-985636ca985e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 335c74761..7583d4962 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -73,7 +73,7 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index ec56871d6..8aeb1ee71 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -99,7 +99,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 369989560..35aea7dea 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -58,7 +58,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 5a156fcc0..40e1b0a38 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -62,7 +62,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index b7b596cb7..e46638aa1 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 0f0aec8b2..698d98d93 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -84,7 +84,7 @@ references = [ risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 4ebe4f0cc..dc502fd7e 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -81,7 +81,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 9769a1831..b3cb07922 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -79,7 +79,7 @@ mean time to respond (MTTR). risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 2023152f0..dde2b98ce 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -78,7 +78,7 @@ mean time to respond (MTTR). risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 428cd5e9a..cfb556108 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -107,7 +107,7 @@ references = [ risk_score = 47 rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index d327e867c..2deee6cfc 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -122,7 +122,7 @@ references = [ risk_score = 47 rule_id = "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 6b636080d..faceec9a5 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -68,7 +68,7 @@ mean time to respond (MTTR). risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 6e421728e..46c17d4aa 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -80,7 +80,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index c8f0996ec..f1583ff31 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -95,7 +95,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index e2f28a55b..139bf0a3d 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -84,7 +84,7 @@ references = [ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index d76b2376e..050532248 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -71,7 +71,7 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 70a915422..7c9728583 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -75,7 +75,7 @@ references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti- risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide", "Elastic Endgame"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 06e8f769c..9280f3fb7 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -69,7 +69,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 4863a1746..c66105101 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -70,7 +70,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index ec6605555..538bc37f5 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -62,7 +62,7 @@ references = [ risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"] type = "threshold" query = ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 3ce3d7c6c..43433f351 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -91,7 +91,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index a914f2236..310e80927 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -95,7 +95,7 @@ references = [ risk_score = 73 rule_id = "d99a037b-c8e2-47a5-97b9-170d076827c4" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index f3ba2d76e..453e6b313 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -90,7 +90,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 88ee8f16d..f4fa92279 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -80,7 +80,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 78d1d11a6..65689371d 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -85,7 +85,7 @@ references = [ risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c89a914e0..4a47e6939 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -79,7 +79,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index a5b2851d5..391583161 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -86,7 +86,7 @@ references = [ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index dc8cf212e..0ab303d8a 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -81,7 +81,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index 15a149e5f..f54113702 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -73,7 +73,7 @@ references = [ risk_score = 47 rule_id = "11013227-0301-4a8c-b150-4db924484475" severity = "medium" -tags = ["Elastic", "Network", "Threat Detection", "Lateral Movement", "has_guide"] +tags = ["Elastic", "Network", "Threat Detection", "Lateral Movement", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 403cbbbe5..923f75550 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -66,7 +66,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index b7fd77573..03714ec83 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -75,7 +75,7 @@ references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-move risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 88d071bfe..0ff84aa08 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index b5f7eeca3..986ef9a5c 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -91,7 +91,7 @@ references = ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-s risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 5cea73bd0..cf7c9df3f 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -55,7 +55,7 @@ restrict activity, or configuring settings that only allow administrators to cre risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 122a82907..66788d50f 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -82,7 +82,7 @@ references = [ risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 759ac4816..083e00255 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -72,7 +72,7 @@ references = [ risk_score = 47 rule_id = "62a70f6f-3c37-43df-a556-f64fa475fba2" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index d34a8a428..2616704b9 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -58,7 +58,7 @@ references = [ risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 058624709..aaa6f2a80 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -82,7 +82,7 @@ mean time to respond (MTTR). risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 4d8f40b18..1a2982cd2 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -93,7 +93,7 @@ references = ["https://www.elastic.co/blog/practical-security-engineering-statef risk_score = 73 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 654360465..3ebe52723 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -91,7 +91,7 @@ mean time to respond (MTTR). risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 1f549544c..edfe65c97 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -92,7 +92,7 @@ references = [ risk_score = 73 rule_id = "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 3c85df750..9c08de978 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -93,7 +93,7 @@ references = [ risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index b513bf09c..03bfc527b 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -87,7 +87,7 @@ mean time to respond (MTTR). risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index d1d408622..bfe90546d 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -89,7 +89,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 8e0e71c55..de91b89e8 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -74,7 +74,7 @@ references = [ risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 470cfd2c8..8f3721c5a 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index dc08d5078..19ba0a126 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -61,7 +61,7 @@ references = [ risk_score = 47 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 13a02c023..aeaabb03c 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -61,7 +61,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index cecb1c3ea..060001eb7 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -89,7 +89,7 @@ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 07e133f83..2df0d09d2 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -85,7 +85,7 @@ references = [ risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 0497214dc..bf5dde012 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -88,7 +88,7 @@ references = [ risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index d1fd81d0e..d70658083 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -90,7 +90,7 @@ references = [ risk_score = 47 rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 5a780d664..9ef6493c5 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -72,7 +72,7 @@ references = [ risk_score = 73 rule_id = "b9554892-5e0e-424b-83a0-5aef95aa43bf" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 3f08d020b..9045552c9 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -90,7 +90,7 @@ references = [ risk_score = 47 rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 8b62d031e..be2ef43d0 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -90,7 +90,7 @@ references = ["https://github.com/klinix5/InstallerFileTakeOver"] risk_score = 73 rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 0748074ff..08707b4a5 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -81,7 +81,7 @@ references = [ risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index f05db0419..8cd4df263 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -90,7 +90,7 @@ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-a risk_score = 73 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 2cf77d5d7..463b7c35d 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -93,7 +93,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index d74362aaa..8742522f3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -90,7 +90,7 @@ references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted risk_score = 73 rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 481e43030..9de4d9ac8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -90,7 +90,7 @@ references = ["https://github.com/AzAgarampur/byeintegrity-uac"] risk_score = 47 rule_id = "1178ae09-5aff-460a-9f2f-455cd0ac4d8e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 29c10748a..e3f37b0dc 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -86,7 +86,7 @@ references = [ risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 8791d7dc9..a325fb534 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/10/11" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 78a3f8032..a237fb236 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -187,23 +187,21 @@ class TestRuleTags(BaseRuleTest): def test_casing_and_spacing(self): """Ensure consistent and expected casing for controlled tags.""" - def normalize(s): - return ''.join(s.lower().split()) expected_tags = [ 'APM', 'AWS', 'Asset Visibility', 'Azure', 'Configuration Audit', 'Continuous Monitoring', - 'Data Protection', 'Elastic', 'Elastic Endgame', 'Endpoint Security', 'GCP', 'Identity and Access', 'Linux', - 'Logging', 'ML', 'macOS', 'Monitoring', 'Network', 'Okta', 'Packetbeat', 'Post-Execution', 'SecOps', - 'Windows' + 'Data Protection', 'Elastic', 'Elastic Endgame', 'Endpoint Security', 'GCP', 'Identity and Access', + 'Investigation Guide', 'Linux', 'Logging', 'ML', 'macOS', 'Monitoring', 'Network', 'Okta', 'Packetbeat', + 'Post-Execution', 'SecOps', 'Windows' ] - expected_case = {normalize(t): t for t in expected_tags} + expected_case = {t.casefold(): t for t in expected_tags} for rule in self.all_rules: rule_tags = rule.contents.data.tags if rule_tags: - invalid_tags = {t: expected_case[normalize(t)] for t in rule_tags - if normalize(t) in list(expected_case) and t != expected_case[normalize(t)]} + invalid_tags = {t: expected_case[t.casefold()] for t in rule_tags + if t.casefold() in list(expected_case) and t != expected_case[t.casefold()]} if invalid_tags: error_msg = f'{self.rule_str(rule)} Invalid casing for expected tags\n'