Fix pipe characters in rule descriptions (#4893)

shashank-elastic · tradebot-elastic · commit 699902bd6fcd · 2025-07-10T09:44:04.000Z
(cherry picked from commit b707920)
diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ note = """
 ### Investigating AWS S3 Object Encryption Using External KMS Key
 
 This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.
-This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.
+This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.
 
 #### Possible Investigation Steps:
 
diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ note = """## Triage and analysis
 
 AWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.
 With access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new
-set of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+set of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.
 
 
diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/31"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ note = """## Triage and analysis
 
 The AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.
 With access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach
-this policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+this policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.
 
 
diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/31"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ note = """## Triage and analysis
 
 The AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.
 With access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach
-this policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+this policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.
 
 
diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/30"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ note = """## Triage and analysis
 
 The AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.
 With access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach
-this policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+this policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.
 
 
diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
@@ -2,9 +2,9 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above."
+min_stack_comments = "Elastic ESQL values aggregation is more performant in 8.16.5 and above."
 min_stack_version = "8.17.0"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/08"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ This rule identifies when Microsoft Graph is accessed from a different IP than t
 but using the same session ID within 5 minutes. This may suggest an adversary has stolen a session cookie or refresh/access
 token and is impersonating the user from an alternate host or location.
 
-This rule uses ES|QL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be
+This rule uses ESQL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be
 performed to the original sign-in and Graph events for further context.
 
 ### Investigation Steps
diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/19"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ note = """## Triage and Analysis
 
 This rule detects an excessive number of files downloaded from OneDrive using OAuth authentication. Threat actors may use OAuth phishing attacks, such as **Device Code Authentication phishing**, to obtain valid access tokens and perform unauthorized data exfiltration. This method allows adversaries to bypass traditional authentication mechanisms, making it a stealthy and effective technique.
 
-This rule leverages ES|QL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.
+This rule leverages ESQL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.
 
 #### Possible Investigation Steps
 
diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/10"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ note = """## Triage and Analysis
 
 Detects a burst of Microsoft 365 user account lockouts within a short 5-minute window. A high number of IdsLocked login errors across multiple user accounts may indicate brute-force attempts for the same users resulting in lockouts.
 
-This rule uses ES|QL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be performed to the original sign-in and Graph events for further context.
+This rule uses ESQL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be performed to the original sign-in and Graph events for further context.
 
 ### Investigation Steps
 
diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/11/08"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ note = """## Triage and analysis
 This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.
diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ note = """## Triage and analysis
 This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.
 
 #### Possible investigation steps:
-Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
+Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.
diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ note = """## Triage and analysis
 This rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.
diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ note = """## Triage and analysis
 This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.
diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/11/18"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ note = """
 This rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.
diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
@@ -2,14 +2,14 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule detects a high number of egress network connections from an unusual executable on a Linux system. This could
 indicate a command and control (C2) communication attempt, a brute force attack via a malware infection, or other
-malicious activity. ES|QL rules have limited fields available in its alert documents. Make sure to review the original
+malicious activity. ESQL rules have limited fields available in its alert documents. Make sure to review the original
 documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml
@@ -2,14 +2,14 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule leverages ES|QL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64
+This rule leverages ESQL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64
 encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or
-network-based security controls. ES|QL rules have limited fields available in its alert documents. Make sure to review
+network-based security controls. ESQL rules have limited fields available in its alert documents. Make sure to review
 the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential port scanning activity from a compromised host. Port
 technique used by attackers to identify open ports and services on a target system. A compromised host may exhibit port
 scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable services, or
 prepare for further exploitation. This rule identifies potential port scanning activity by monitoring network connection
-attempts from a single host to a large number of ports within a short time frame. ES|QL rules have limited fields
+attempts from a single host to a large number of ports within a short time frame. ESQL rules have limited fields
 available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential subnet scanning activity from a compromised host. Su
 technique used by attackers to identify live hosts within a network range. A compromised host may exhibit subnet
 scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable hosts, or prepare
 for further exploitation. This rule identifies potential subnet scanning activity by monitoring network connection
-attempts from a single host to a large number of hosts within a short time frame. ES|QL rules have limited fields
+attempts from a single host to a large number of hosts within a short time frame. ESQL rules have limited fields
 available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
@@ -2,13 +2,13 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule leverages ES|QL to detect the execution of unusual file transfer utilities on Linux systems. Attackers may use
-these utilities to exfiltrate data from a compromised system. ES|QL rules have limited fields available in its alert
+This rule leverages ESQL to detect the execution of unusual file transfer utilities on Linux systems. Attackers may use
+these utilities to exfiltrate data from a compromised system. ESQL rules have limited fields available in its alert
 documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml
diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml
diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml
