elastic
diff --git a/‎rules/apm/apm_403_response_to_a_post.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/apm/apm_403_response_to_a_post.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/apm/apm_405_response_method_not_allowed.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/apm/apm_405_response_method_not_allowed.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/apm/apm_sqlmap_user_agent.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/apm/apm_sqlmap_user_agent.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml‎
Lines changed: 6 additions & 6 deletions b/‎rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎rules/cross-platform/command_and_control_non_standard_ssh_port.toml‎
Lines changed: 2 additions & 2 deletions b/‎rules/cross-platform/command_and_control_non_standard_ssh_port.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/cross-platform/credential_access_forced_authentication_pipes.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/cross-platform/credential_access_forced_authentication_pipes.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml‎
Lines changed: 1 addition & 1 deletion b/‎rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml‎
Lines changed: 1 addition & 1 deletion
@@ -35,7 +35,7 @@ http.response.status_code:403 and http.request.method:post
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Web Application Suspicious Activity: POST Request Declined
 
 
@@ -35,7 +35,7 @@ http.response.status_code:405
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Web Application Suspicious Activity: Unauthorized Method
 
 
@@ -35,7 +35,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Web Application Suspicious Activity: sqlmap User Agent
 
 
@@ -39,20 +39,20 @@ query = '''
 process where
 
     /* common browser processes  */
-    event.action in ("exec", "fork", "start") and 
+    event.action in ("exec", "fork", "start") and
 
-    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable", 
-                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe", 
-                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox", 
-                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and 
+    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
+                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
+                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
+                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and
 
     /* Look for Google Drive download URL with AV flag skipping */
     (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")
 '''
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Suspicious File Downloaded from Google Drive
 
 
@@ -44,7 +44,7 @@ sequence by process.entity_id with maxspan=1m
    "run"
    )
   ]
-  [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and 
+  [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and
    destination.port != 22 and network.transport == "tcp" and not (
      destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
        destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
@@ -59,7 +59,7 @@ sequence by process.entity_id with maxspan=1m
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Potential Non-Standard Port SSH connection
 
 
@@ -67,7 +67,7 @@ process where event.type in ("start", "process_started", "info") and
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Potential Cookies Theft via Browser Debugging
 
 
@@ -63,7 +63,7 @@ sequence with maxspan=15s
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Active Directory Forced Authentication from Linux Host - SMB Named Pipes
 
 
@@ -34,7 +34,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch)
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Agent Spoofing - Mismatched Agent ID
 
 
@@ -34,7 +34,7 @@ event.agent_id_status:* and not tags:forwarded
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating Agent Spoofing - Multiple Hosts Using Same Agent
 
 
@@ -52,7 +52,7 @@ file where event.type == "deletion" and
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating WebServer Access Logs Deleted
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ sequence by process.entity_id with maxspan=1m`
`44`	`44`	`"run"`
`45`	`45`	`)`
`46`	`46`	`]`
`47`		`- [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and`
	`47`	`+ [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and`
`48`	`48`	`destination.port != 22 and network.transport == "tcp" and not (`
`49`	`49`	`destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(`
`50`	`50`	`destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",`
`@@ -59,7 +59,7 @@ sequence by process.entity_id with maxspan=1m`
`59`	`59`	`note = """## Triage and analysis`
`60`	`60`
`61`	`61`	`> Disclaimer:`
`62`		`-> This investigation guide was generated using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.`
	`62`	`+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.`
`63`	`63`
`64`	`64`	`### Investigating Potential Non-Standard Port SSH connection`
`65`	`65`