elastic · w0rk3r · Feb 24, 2025 · Feb 24, 2025 · Feb 24, 2025 · Mar 15, 2025
diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/14"
+updated_date = "2025/02/24"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,14 @@ Outlook's integration with the Component Object Model (COM) allows processes to
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the suspicious activity.
 - Review and update endpoint protection policies to ensure that similar threats are detected and blocked in the future, leveraging the MITRE ATT&CK framework for guidance on email collection techniques."""
+setup = """## Setup
+
+This rule requires data from the Elastic Defend integration.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2025/02/21"
+updated_date = "2025/02/24"
 
 [rule]
 author = ["Elastic"]
@@ -100,6 +100,32 @@ process where host.os.type == "windows" and event.type == "start" and
   process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
   process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*")
 '''
+setup = """## Setup
+
+This rule requires data from one of the following integrations:
+- Elastic Defend
+- SentinelOne Cloud Funnel
+- M365 Defender
+- CrowdStrike
+
+Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+### SentinelOne Cloud Funnel Setup
+
+This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html).
+
+### Crowdstrike FDR Setup
+
+This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html).
+
+### Microsoft Defender for Endpoint Setup
+
+This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/12/04"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/11/02"
+updated_date = "2025/02/24"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -62,14 +62,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
@@ -112,6 +104,27 @@ process where host.os.type == "windows" and event.type == "start" and
         "\\Device\\HarddiskVolume?\\Nox\\bin\\Nox.exe"
       )
 '''
+setup = """## Setup
+
+This rule requires data from one of the following integrations:
+- Elastic Defend
+- M365 Defender
+- SentinelOne Cloud Funnel
+
+Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+### SentinelOne Cloud Funnel Setup
+
+This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html).
+
+### Microsoft Defender for Endpoint Setup
+
+This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/13"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/02/24"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -133,6 +133,32 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
  (process.name : "CertReq.exe" or ?process.pe.original_file_name == "CertReq.exe") and process.args : "-Post"
 '''
+setup = """## Setup
+
+This rule requires data from one of the following integrations:
+- Elastic Defend
+- M365 Defender
+- SentinelOne Cloud Funnel
+- CrowdStrike
+
+Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+### SentinelOne Cloud Funnel Setup
+
+This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html).
+
+### Crowdstrike FDR Setup
+
+This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html).
+
+### Microsoft Defender for Endpoint Setup
+
+This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/02/24"
 
 [transform]
 [[transform.investigate]]
@@ -298,6 +298,14 @@ network where host.os.type == "windows" and network.protocol == "dns" and
                               "Amazon.com Services LLC"))
     )
 '''
+setup = """## Setup
+
+This rule requires data from the Elastic Defend integration.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/11"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/02/24"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -84,6 +84,27 @@ sequence by host.id with maxspan=5m
 [process where host.os.type == "windows" and event.type == "start" and
   process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10
 '''
+setup = """## Setup
+
+This rule requires data from one of the following integrations:
+- Elastic Defend
+- M365 Defender
+- SentinelOne Cloud Funnel
+
+Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+### SentinelOne Cloud Funnel Setup
+
+This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html).
+
+### Microsoft Defender for Endpoint Setup
+
+This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/24"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -19,14 +19,6 @@ license = "Elastic License v2"
 name = "Connection to Commonly Abused Free SSL Certificate Providers"
 risk_score = 21
 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
 tags = [
     "Domain: Endpoint",
@@ -90,6 +82,17 @@ Free SSL certificates, like those from Let's Encrypt, enable secure web traffic
 - Restore the system from a known good backup if any critical system files or configurations have been altered.
 - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+setup = """## Setup
+
+This rule requires data from one of the following integrations:
+- Elastic Defend
+
+Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/10"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/02/24"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -82,6 +82,32 @@ process where host.os.type == "windows" and event.type == "start" and
       "explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe",
       "pcalua.exe", "wmiprvse.exe")
 '''
+setup = """## Setup
+
+This rule requires data from one of the following integrations:
+- Elastic Defend
+- M365 Defender
+- SentinelOne Cloud Funnel
+- CrowdStrike
+
+Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+### SentinelOne Cloud Funnel Setup
+
+This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html).
+
+### Crowdstrike FDR Setup
+
+This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html).
+
+### Microsoft Defender for Endpoint Setup
+
+This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/28"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/24"
 
 [rule]
 author = ["Elastic"]
@@ -85,6 +85,14 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini
 - Restore the affected system from a known good backup if malware is confirmed and cannot be fully removed, ensuring that the backup is free from compromise.
 - Implement network-level controls to block the identified suspicious domains and IP addresses to prevent future communication attempts.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+setup = """## Setup
+
+This rule requires data from the Elastic Defend integration.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/02/24"
 
 [transform]
 [[transform.osquery]]
@@ -144,6 +144,14 @@ file where host.os.type == "windows" and event.action == "rename" and
         "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe"
   )
 '''
+setup = """## Setup
+
+This rule requires data from the Elastic Defend integration.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
 
 
 [[rule.threat]]

diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/03"
 integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/02/24"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -278,6 +278,17 @@ host.os.type: "windows" and
 
 	not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.")
 '''
+setup = """## Setup
+
+This rule requires data from one of the following integrations:
+- Elastic Defend
+
+Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.
+
+### Elastic Defend Setup
+
+Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
 
 
 [[rule.threat]]