Updated failing rules for integrations checks

rules/windows/command_and_control_rdp_tunnel_plink.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/14"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
 min_stack_comments = "SentinelOne integration package minimum version for validation."
 min_stack_version = "8.11.0"
-updated_date = "2024/05/16"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/command_and_control_screenconnect_childproc.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/03/27"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
 min_stack_comments = "SentinelOne integration package minimum version for validation."
 min_stack_version = "8.11.0"
-updated_date = "2024/05/16"
+updated_date = "2024/10/21"
 
 
 [rule]

rules/windows/credential_access_cmdline_dump_tool.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/24"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/credential_access_persistence_network_logon_provider_modification.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/03/18"
-integration = ["endpoint", "m365_defender"]
+integration = ["endpoint", "m365_defender", "windows"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2022/04/30"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/credential_access_saved_creds_vaultcmd.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/12/25"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/11/27"
-integration = ["windows"]
+integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/07/07"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/08/21"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/07/07"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/25"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/25"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_from_unusual_directory.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/10/30"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/08/24"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/18"
-integration = ["endpoint", "windows", "m365_defender"]
+integration = ["endpoint", "windows", "m365_defender", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_sip_provider_mod.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/20"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_suspicious_zoom_child_process.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
 min_stack_comments = "SentinelOne integration package minimum version for validation."
 min_stack_version = "8.11.0"
-updated_date = "2024/05/16"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]

rules/windows/defense_evasion_unusual_system_vp_child_program.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/08/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/defense_evasion_via_filter_manager.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "m365_defender"]
+integration = ["endpoint", "windows", "m365_defender", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]

rules/windows/discovery_group_policy_object_discovery.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/01/18"
-integration = ["windows", "endpoint"]
+integration = ["windows", "endpoint", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/discovery_peripheral_device.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/02"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/execution_com_object_xwizard.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/20"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/execution_suspicious_pdf_reader.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/30"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/execution_via_compiled_html_file.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [transform]
 [[transform.osquery]]

rules/windows/execution_via_mmc_console_file_unusual_path.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/06/19"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.8.0 for Sentinel One Cloud Funnel Integration"
 min_stack_version = "8.12.0"
-updated_date = "2024/07/09"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/impact_modification_of_boot_config.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/16"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/initial_access_webshell_screenconnect_server.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/03/26"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/03/22"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/lateral_movement_execution_from_tsclient_mup.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/11"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/02"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/04"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/lateral_movement_unusual_dns_service_children.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/16"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]

rules/windows/persistence_evasion_registry_ifeo_injection.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/17"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/21"
 
 [rule]
 author = ["Elastic"]