diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index cfd658fed38..b0033e71d5b 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.3.4.json.gz b/detection_rules/etc/beats_schemas/v9.3.4.json.gz new file mode 100644 index 00000000000..24380c5c198 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.3.4.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index f91eb552c6d..771256dcaac 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 557b4ce4102..f4863a26f0e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 572e283abaa..8fce2d01c34 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 7fe170cedca..406174a9338 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 0b61dfb079a..2d932f3055d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 03a5ab6f950..1d4523eab8e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index b265d862d3b..ad4d3811b12 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index 79cafb14707..7bf30837400 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index 0b6bf515b55..a37735d6ca6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index 41310dc5b69..03c9681112d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 6fdab0a629e..565cbbca69a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 779a634a465..df0c5f6d24b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index f1936f05b27..e06a18ffb53 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 7932a2ecfd8..1e896caf600 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 6e356e75002..852bf7251f6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 99b4d18d059..c7628178dcc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 7218ff04b90..2082a3b7255 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index f3546c8f574..0a3481b4aa1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 444cc41fe2d..9655be99a2c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index ecba8dc07a8..18fa2fed12a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index b7d20d3fb2d..b52392f7603 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index ec6fd293ea6..7cf8ca8a384 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index e962806ddbb..cf970e0d7c2 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 2727267303e..3ff12955d9d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 609c6d7fcee..54a0640b925 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 0e56ff2bf8f..61d7ac40ba3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index d16e23447c5..a95145cd427 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index cd14c2198aa..6a3f00337e6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 1a8965bfba2..c7fbfe0c5be 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index a234a3da8a9..7c27cbf1b66 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 5c42efb1d10..c4630b6ee82 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 1631400ef32..cbc94cf3b4c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index 6496d19ee93..cf60e6bb61f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 7092c1deb9a..8f80d36421f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index b921a37c896..cae6499465b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index a5609e10068..f8097bf50e4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 621c004470c..51f807f66af 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 10b420a124d..824692c420a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 9bd652022f1..4922380bcfe 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index f38a20b93bf..6aadfb9db60 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 7388a7467e9..435bf845b9a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 95c7d7f9afa..64b8f2b95ae 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 56ea0990adf..6b47044d922 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 7e1b0b584c0..d117d42872e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz index 83d17f68669..58367cc4f40 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz index 685a523674d..0d04c2dbdaa 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz index d7d9c9e78f8..ee97c4dbe2b 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz index d47b8905714..8671d3802e4 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz index c83c0c11d9f..1c78100be2b 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz index dd09c7c7a67..38fa16cc2c0 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz index 3116aa8c1d3..fa32e881f44 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz index 848dc43733f..485948d097b 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz index 03bac894c4a..d85f749e0d7 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz index bd39bcf9607..2c92c614291 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz index 1f5d4662182..613d79d960c 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz index 497c9f8ca9c..a1761f2c4c3 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz index aa93b0ffd15..a837c4fa9ab 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz index f26d8241a22..0b7837c9e29 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz index a32fe24a72b..5a936162134 100644 Binary files a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz index a3b3b0e006b..b84b3889e81 100644 Binary files a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index b4664f04889..7b4995b07d0 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index d43100d67e0..e006d655548 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index a532c85853f..7b8c539f0f0 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -150,11 +150,11 @@ endgame: "8.4.0" "9.4.0": - beats: "9.3.3" + beats: "9.3.4" ecs: "9.4.0-rc1" endgame: "8.4.0" "9.5.0": - beats: "9.3.3" + beats: "9.3.4" ecs: "9.4.0-rc1" endgame: "8.4.0" \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 60d9411e47d..2774b1692c6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.31" +version = "1.6.32" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index e79f7194913..ccfb2ce64c2 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/04/21" +updated_date = "2026/05/04" [rule] author = ["Elastic"] @@ -26,6 +26,28 @@ index = [ language = "eql" license = "Elastic License v2" name = "Microsoft IIS Service Account Password Dumped" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Microsoft IIS Service Account Password Dumped + +This rule detects the IIS administration utility being launched to print full web server configuration or credential-bearing settings, which can expose application pool usernames, passwords, and connection strings in clear text. An attacker who lands on a Windows web server through a web shell can run the tool to enumerate process model settings, recover the service account password, and reuse those credentials for lateral movement or deeper access to backend systems. + +### Possible investigation steps + +- Review the process tree, executing user, logon session, integrity level, and remote-interactive context to determine whether the command was launched by an authorized administrator, a scripted maintenance task, or through a suspicious parent such as cmd.exe, powershell.exe, w3wp.exe, or a web shell. +- Build a short timeline on the host around the execution to identify adjacent discovery or credential-access activity, including archive or encode tools, file staging in web directories, registry access, and outbound connections to unusual internal or external destinations. +- Inspect recent IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files, requests containing command-execution parameters, uploads to writable web paths, or authentication bypass behavior preceding the event. +- Determine which application pools, virtual directories, or connection strings were exposed, then review subsequent authentication and service activity for the recovered account on other systems to spot lateral movement, privilege escalation, or access to databases and file shares. +- If the activity is unauthorized, preserve the relevant IIS configuration and web content for forensics, search the environment for the same account or host communicating elsewhere, and prioritize password rotation for affected service accounts and secrets. + +### False positive analysis + +- An IIS administrator may legitimately run AppCmd to review application pool identities or troubleshoot authentication issues, so verify the command aligns with an approved maintenance window or change request and was launched by an expected administrative account. +- A scheduled server administration script may enumerate full IIS configuration or connection strings during backup, migration validation, or configuration auditing, so confirm the parent process and execution time match a known scheduled task or recurring maintenance pattern and that no suspicious follow-on activity occurred. +""" references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"] risk_score = 21 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" @@ -42,6 +64,7 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql"