[Rule Tuning] Remove "process_started" from Windows Rules (#2238)

* [Rule Tuning] Remove "process_started" from Windows Rules * Additional, pending ones * Update defense_evasion_code_injection_conhost.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2022-09-19 11:06:30 -07:00
parent acdfe5ddab
commit d52c0d2257
109 changed files with 227 additions and 227 deletions
@@ -3,7 +3,7 @@ creation_date = "2020/12/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -83,7 +83,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "New-MailboxExportRequest*"
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -71,7 +71,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  ((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or
      process.pe.original_file_name == "Command line RAR") and
    process.args == "a" and process.args : ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta"))
@@ -3,7 +3,7 @@ creation_date = "2020/10/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  /* RDP port and usual SSH tunneling related switches in command line */
  process.args : "*:3389" and
  process.args : ("-L", "-P", "-R", "-pw", "-ssh")
@@ -3,7 +3,7 @@ creation_date = "2020/09/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -87,7 +87,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "desktopimgdownldr.exe" or process.pe.original_file_name == "desktopimgdownldr.exe") and
  process.args : "/lockscreenurl:http*"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/11/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -75,7 +75,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 /* update here with any new lolbas with dump capability */
 (process.pe.original_file_name == "procdump" and process.args : "-ma") or
 (process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.*""") or
@@ -3,7 +3,7 @@ creation_date = "2020/11/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (
    (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and
       process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv")
@@ -3,7 +3,7 @@ creation_date = "2020/11/23"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -76,7 +76,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.pe.original_file_name == "reg.exe" and
 process.args : ("save", "export") and
 process.args : ("hklm\\sam", "hklm\\security")
@@ -3,7 +3,7 @@ creation_date = "2020/08/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
   (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and
   process.args : "/list" and process.args : "/text*password"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/08/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and
  process.args : "connectionStrings" and process.args : "-pdf"
 '''
@@ -3,7 +3,7 @@ creation_date = "2022/04/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "rundll32.exe" and

  /* Rundll32 WbeDav Client  */
@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and
  process.args:"/list*"
 '''
@@ -1,9 +1,9 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/08/24"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "attrib.exe" and process.args : "+h"
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("process_started", "start") and
+process where event.type == "start" and
  (
    (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and
    process.args : ("/e:false", "cl", "clear-log")
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and
  process.args : "deletejournal" and process.args : "usn"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -62,7 +62,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "netsh.exe" and
  (
    (process.args : "disable" and process.args : "firewall" and process.args : "set") or
@@ -3,7 +3,7 @@ creation_date = "2021/05/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and

  ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and
      process.args : "EventLog-*" and process.args : ("stop", "delete")) or
@@ -3,7 +3,7 @@ creation_date = "2020/08/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : ("csc.exe", "vbc.exe") and
  process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe")
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/10/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and
 process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and
 process.args : ("action=allow", "enable=Yes", "enable")
@@ -3,7 +3,7 @@ creation_date = "2021/09/08"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and
 process.command_line :
          ("*.jpg*",
@@ -1,9 +1,9 @@
 [metadata]
 creation_date = "2020/10/13"
 maturity = "production"
-updated_date = "2022/08/24"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and
   /* necessary windows update client args to load a dll */
   process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and
@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -99,7 +99,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "MSBuild.exe" and
  process.parent.name : ("eqnedt32.exe",
                         "excel.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "MSBuild.exe" and
  process.parent.name : ("explorer.exe", "wmiprvse.exe")
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.pe.original_file_name == "MSBuild.exe" and
  not process.name : "MSBuild.exe"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : "MSBuild.exe" and
  process.name : ("csc.exe", "iexplore.exe", "powershell.exe")
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/10/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
+process where event.type == "start" and
 /* add suspicious execution paths here */
 process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe","C:\\Windows\\AppReadiness\\*.exe",
 "C:\\Windows\\ServiceState\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityCRL\\*.exe","C:\\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/04/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and
  process.args : "/dontLog*:*True" and
  not process.parent.name : "iissetup.exe"
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ query = '''
 /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */

 sequence by process.entity_id
-  [process where event.type in ("start", "process_started") and process.name : "installutil.exe"]
+  [process where event.type == "start" and process.name : "installutil.exe"]
  [network where process.name : "installutil.exe" and network.direction : ("outgoing", "egress")]
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/08/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
+process where event.type == "start" and
 process.name : ("esensor.exe", "elastic-endpoint.exe") and
 process.parent.executable != null and
  /* add FPs here */
@@ -3,7 +3,7 @@ creation_date = "2020/09/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
+process where event.type == "start" and
  process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe"
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/08/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : "WerFault.exe" and
  not process.name : ("cofire.exe",
                      "psr.exe",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "development"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ query = '''
 /* duplicate of MsBuild Making Network Connections - 0e79980b-4250-4a50-a509-69294c14e84b */

 sequence by process.entity_id
-  [process where event.type in ("start", "process_started") and process.name : "MSBuild.exe"]
+  [process where event.type == "start" and process.name : "MSBuild.exe"]
  [network where process.name : "MSBuild.exe" and
     not (destination.ip == "127.0.0.1" and source.ip == "127.0.0.1")]
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ type = "eql"

 query = '''
 sequence by process.entity_id with maxspan=10m
-  [process where event.type in ("start", "process_started") and process.name : "mshta.exe" and
+  [process where event.type == "start" and process.name : "mshta.exe" and
     not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
     not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
          process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "development"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ query = '''
 /* duplicate of Network Connection via MsXsl - b86afe07-0d98-4738-b15d-8d7465f95ff5 */

 sequence by process.entity_id
-  [process where event.type in ("start", "process_started") and process.name : "msxsl.exe"]
+  [process where event.type == "start" and process.name : "msxsl.exe"]
  [network where process.name : "msxsl.exe" and network.direction : ("outgoing", "egress")]
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ type = "eql"

 query = '''
 sequence by process.entity_id with maxspan=5m
-  [process where event.type in ("start", "process_started") and
+  [process where event.type == "start" and

     /* known applocker bypasses */
     (process.name : "bginfo.exe" or
@@ -3,7 +3,7 @@ creation_date = "2022/05/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
   (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
   (
    process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -25,11 +25,11 @@ type = "eql"

 query = '''
 sequence with maxspan=1h
-  [process where event.type in ("start", "process_started") and
+  [process where event.type == "start" and
     (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and
      process.args_count == 1
  ] by process.entity_id
-  [process where event.type in ("start", "process_started") and process.parent.name : "rundll32.exe"
+  [process where event.type == "start" and process.parent.name : "rundll32.exe"
  ] by process.parent.entity_id
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/11/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and length(process.name) > 0 and
+process where event.type == "start" and length(process.name) > 0 and
 length(process.name) == 5 and host.os.name == "Windows" and length(process.pe.original_file_name) > 5
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ type = "eql"

 query = '''
 sequence by process.entity_id with maxspan = 2m
-[process where event.type in ("start", "process_started") and
+[process where event.type == "start" and
   (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and
   process.args : ("format*:*", "/format*:*", "*-format*:*") and
   not process.command_line : "* /format:table *"]
@@ -3,7 +3,7 @@ creation_date = "2020/09/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
+process where event.type == "start" and
 process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")
 '''

@@ -3,7 +3,7 @@ creation_date = "2021/05/28"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ type = "eql"

 query = '''
 sequence by host.id, process.entity_id with maxspan=1m
-  [process where event.type in ("start", "process_started") and process.name : "dllhost.exe" and process.args_count == 1]
+  [process where event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1]
  [network where process.name : "dllhost.exe" and
   not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
    "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -68,7 +68,7 @@ type = "eql"

 query = '''
 sequence by host.id, process.entity_id with maxspan=1m
-  [process where event.type in ("start", "process_started") and process.name : "rundll32.exe" and process.args_count == 1]
+  [process where event.type == "start" and process.name : "rundll32.exe" and process.args_count == 1]
  [network where process.name : "rundll32.exe" and
   not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
       "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
@@ -3,7 +3,7 @@ creation_date = "2020/08/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.pid == 4 and
  not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe")
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.name : "fltMC.exe" and process.args : "unload"
 '''

@@ -3,7 +3,7 @@ creation_date = "2022/03/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start","process_started")
+process where event.type == "start" 
    and process.name : "control.exe" and process.parent.name : "WorkFolders.exe"
    and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe")
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/10/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -83,7 +83,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and
  process.args : ("objectcategory=computer", "(objectcategory=computer)",
                  "objectcategory=person", "(objectcategory=person)",
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -71,7 +71,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
    ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
        not process.parent.name : "net.exe")) and
@@ -3,7 +3,7 @@ creation_date = "2020/03/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (?process.Ext.token.integrity_level_name : "System" or
  ?winlog.event_data.IntegrityLevel : "System") and
  (process.name : "whoami.exe" or
@@ -3,7 +3,7 @@ creation_date = "2022/05/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -39,7 +39,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
    process.name : "nltest.exe" and process.args : (
        "/DCLIST:*", "/DCNAME:*", "/DSGET*",
        "/LSAQUERYFTI:*", "/PARENTDOMAIN",
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -64,7 +64,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
   ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
       not process.parent.name : "net.exe")) and
@@ -72,7 +72,7 @@ process where event.type in ("start", "process_started") and


  /* expand when ancestry is available
-  and not descendant of [process where event.type == ("start", "process_started") and process.name : "cmd.exe" and
+  and not descendant of [process where event.type == "start" and process.name : "cmd.exe" and
                           ((process.parent.name : "userinit.exe") or
                            (process.parent.name : "gpscript.exe") or
                            (process.parent.name : "explorer.exe" and
@@ -3,7 +3,7 @@ creation_date = "2020/11/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and
  process.args : "fsinfo" and process.args : "drives"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -63,7 +63,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  ((process.name : "nbtstat.exe" and process.args : ("-n", "-s")) or
  (process.name : "arp.exe" and process.args : "-a"))
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/10/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -67,7 +67,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
   (process.name:"wmic.exe" or process.pe.original_file_name:"wmic.exe") and
    process.args:"/namespace:\\\\root\\SecurityCenter2" and process.args:"Get"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -76,7 +76,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name : "whoami.exe" and
+process where event.type == "start" and process.name : "whoami.exe" and
 (

 (/* scoped for whoami execution under system privileges */
@@ -3,7 +3,7 @@ creation_date = "2020/12/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name: ("cmd.exe", "powershell.exe") and
+process where event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
 process.parent.name: (
     "ConfigurationWizard*.exe",
     "NetflowDatabaseMaintenance*.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/12/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and
 not process.name : (
        "APMServiceControl*.exe",
@@ -3,7 +3,7 @@ creation_date = "2021/01/20"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.pe.original_file_name : "xwizard.exe" and
 (
   (process.args : "RunWizard" and process.args : "{*}") or
@@ -3,7 +3,7 @@ creation_date = "2020/08/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "cmd.exe" and
  process.parent.name : ("lsass.exe",
                         "csrss.exe",
@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name:
  (
    "arp.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/10/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
+process where event.type == "start" and
  process.name : ("wscript.exe",
                  "cscript.exe",
                  "rundll32.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -94,7 +94,7 @@ sequence with maxspan=2h
      process.name : "MSPUB.EXE" or
      process.name : "MSACCESS.EXE")
  ] by host.id, file.path
-  [process where event.type in ("start", "process_started")] by host.id, process.executable
+  [process where event.type == "start"] by host.id, process.executable
 '''


@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -95,7 +95,7 @@ sequence with maxspan=2h
          file.name : "AcroRd32.exe" or
          file.name : "rdrcef.exe")
  ] by host.id, file.path
-  [process where event.type in ("start", "process_started")] by host.id, process.executable
+  [process where event.type == "start"] by host.id, process.executable
 '''


@@ -3,7 +3,7 @@ creation_date = "2020/10/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and
 process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>")
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/03/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : ("AcroRd32.exe",
                         "Acrobat.exe",
                         "FoxitPhantomPDF.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/08/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
+process where event.type == "start" and
  process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe"
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.parent.name : "hh.exe" and
 process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe")
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/08/17"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -89,7 +89,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "conhost.exe" and
  process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe",
                         "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and
@@ -3,7 +3,7 @@ creation_date = "2020/08/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" and
  not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*",
                      "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "wbadmin.exe" or process.pe.original_file_name == "WBADMIN.EXE") and
  process.args : "catalog" and process.args : "delete"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/03/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -75,7 +75,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and
    (
      (process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -96,7 +96,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started")
+process where event.type == "start"
  and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and
  process.args in ("delete", "resize") and process.args : "shadows*"
 '''
@@ -3,7 +3,7 @@ creation_date = "2021/07/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -100,7 +100,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
  process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and
  process.args : ("*Win32_ShadowCopy*") and
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "WMIC.exe" or process.pe.original_file_name == "wmic.exe") and
  process.args : "delete" and process.args : "shadowcopy"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe"
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/11/27"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ query = '''
 sequence by host.id with maxspan = 5s
    [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
     (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")]
-    [process where event.type in ("start", "process_started") and
+    [process where event.type == "start" and
     process.parent.name : "wmiprvse.exe" and
     user.domain != "NT AUTHORITY" and
     (process.pe.original_file_name :
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -87,7 +87,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and
  process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe",
                "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -84,7 +84,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : "outlook.exe" and
  process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe",
                  "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/10/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (
   process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or
   process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE")
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ type = "eql"

 query = '''
 sequence by process.entity_id with maxspan = 1m
-  [process where event.type in ("start", "process_started") and
+  [process where event.type == "start" and
     (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
      process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
      process.args : ("create", "config", "failure", "start")]
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ type = "eql"

 query = '''
 sequence with maxspan=1m
-  [process where event.type in ("start", "process_started") and
+  [process where event.type == "start" and
     process.name : "mshta.exe" and process.args : "-Embedding"
  ] by host.id, process.entity_id
  [network where event.type == "start" and process.name : "mshta.exe" and
@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ sequence by host.id with maxspan=1m
 destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and
  network.direction : ("incoming", "ingress") and network.transport == "tcp"
 ] by process.entity_id
- [process where event.type in ("start", "process_started") and process.parent.name : "mmc.exe"
+ [process where event.type == "start" and process.parent.name : "mmc.exe"
 ] by process.parent.entity_id
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/11/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ sequence by host.id with maxspan=5s
  network.direction : ("incoming", "ingress") and network.transport == "tcp" and
  source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
 ] by process.entity_id
- [process where event.type in ("start", "process_started") and
+ [process where event.type == "start" and
  process.parent.name : "explorer.exe"
 ] by process.parent.entity_id
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/11/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.executable : "\\Device\\Mup\\tsclient\\*.exe"
+process where event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe"
 '''


@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ type = "eql"
 query = '''
 sequence with maxspan=1m
  [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : "exe"] by host.id, file.path
-  [process where event.type in ("start", "process_started")] by host.id, process.executable
+  [process where event.type == "start"] by host.id, process.executable
 '''


@@ -3,7 +3,7 @@ creation_date = "2020/11/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -33,10 +33,10 @@ sequence by host.id with maxspan = 2s

  /* Excluding Common FPs Nessus and SCCM */

-  [process where event.type in ("start", "process_started") and process.parent.name : "WmiPrvSE.exe" and
-   not process.args : ("C:\\windows\\temp\\nessus_*.txt",
-                       "C:\\windows\\TEMP\\nessus_*.TMP",
-                       "C:\\Windows\\CCM\\SystemTemp\\*",
+  [process where event.type == "start" and process.parent.name : "WmiPrvSE.exe" and
+   not process.args : ("C:\\windows\\temp\\nessus_*.txt", 
+                       "C:\\windows\\TEMP\\nessus_*.TMP", 
+                       "C:\\Windows\\CCM\\SystemTemp\\*", 
                       "C:\\Windows\\CCMCache\\*",
                       "C:\\CCM\\Cache\\*")
   ]
@@ -3,7 +3,7 @@ creation_date = "2020/11/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
 not process.parent.name : "net.exe")) and
 process.args : "use" and
@@ -3,7 +3,7 @@ creation_date = "2020/11/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -40,7 +40,7 @@ sequence by host.id with maxspan=1m
   registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*")
  ]

-  [process where event.type in ("start", "process_started") and
+  [process where event.type == "start" and
   (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and
   not process.name : "conhost.exe"
   ]
@@ -3,7 +3,7 @@ creation_date = "2020/11/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and
  process.args : ("copy*", "move*", "cp", "mv") and process.args : "*$*"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/11/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ sequence with maxspan=1s
      source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"
   ] by host.id, process.entity_id

-   [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and
+   [process where event.type == "start" and process.parent.name : "services.exe" and 
       not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and
       not (process.name : "msiexec.exe" and process.args : "/V") and
       not process.executable :
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ type = "eql"

 query = '''
 sequence by process.entity_id with maxspan = 5m
-  [process where event.type in ("start", "process_started") and
+  [process where event.type == "start" and
    not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")]
  [registry where event.type in ("creation", "change") and
    registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]
@@ -3,7 +3,7 @@ creation_date = "2020/12/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*"
 '''

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
+process where event.type == "start" and
 process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and
 process.args :
    (
@@ -3,7 +3,7 @@ creation_date = "2020/11/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -25,9 +25,9 @@ type = "eql"
 query = '''
 /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */
 sequence by host.id, user.name with maxspan=1m
-  [process where event.type in ("start", "process_started") and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"]
-  [process where event.type in ("start", "process_started") and process.name : "explorer.exe"]
-  [process where event.type in ("start", "process_started") and process.parent.name : "explorer.exe" and
+  [process where event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"]
+  [process where event.type == "start" and process.name : "explorer.exe"]
+  [process where event.type == "start" and process.parent.name : "explorer.exe" and
   /* add suspicious programs here */
   process.pe.original_file_name in ("cscript.exe",
                                     "wscript.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/11/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ type = "eql"

 query = '''
 sequence by host.id, process.entity_id with maxspan=5s
-  [process where event.type in ("start", "process_started") and process.code_signature.trusted == false and
+  [process where event.type == "start" and process.code_signature.trusted == false and
  /* suspicious paths can be added here  */
   process.executable : ("C:\\Users\\*.exe",
                         "C:\\ProgramData\\*.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -68,7 +68,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : "services.exe" and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -65,7 +65,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.name : ("net.exe", "net1.exe") and
  not process.parent.name : "net.exe" and
  (process.args : "user" and process.args : ("/ad", "/add"))
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name : "sdbinst.exe"
+process where event.type == "start" and process.name : "sdbinst.exe"
 '''


@@ -3,7 +3,7 @@ creation_date = "2020/08/17"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and
  not process.name : ("conhost.exe",
                      "DeviceCensus.exe",
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
  (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
  process.args : "create" and
  process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer")
@@ -3,7 +3,7 @@ creation_date = "2020/11/23"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.type == "start" and
 process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and
 process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*"
 '''
@@ -3,7 +3,7 @@ creation_date = "2020/10/28"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/15"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name : "Clipup.exe" and
+process where event.type == "start" and process.name : "Clipup.exe" and
  not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and
  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */
  process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}"
--- a/Show More
+++ b/Show More