Updated failing rules for integrations check

eric-forte-elastic · eric-forte-elastic · commit b7fc26ad11b4 · 2024-10-21T15:47:42.000-04:00
diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/14"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/03/27"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/09/09"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/09/25"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/24"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/03/18"
-integration = ["endpoint", "m365_defender"]
+integration = ["endpoint", "m365_defender", "windows"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]
diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/19"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/11/27"
-integration = ["windows"]
+integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/10/30"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/20"
-integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]
diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/08/19"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "m365_defender"]
+integration = ["endpoint", "windows", "m365_defender", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]
diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/20"
-integration = ["endpoint", "windows", "m365_defender"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/30"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/06/19"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for Sentinel One Cloud Funnel Integration"
 min_stack_version = "8.13.0"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/11"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/16"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/18"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/08/17"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/05/29"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/09/12"
-integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/09/16"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/26"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]
