Add rule docs for 8.6 rule changes

.gitignore

@@ -1,3 +1,6 @@
 .DS_Store
 docs/html_docs
 /html_docs
+
+# development files
+*launch.json*

docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc

@@ -5,6 +5,9 @@ The following lists prebuilt rule updates per release. Only rules with
 significant modifications to their query or scope are listed. For detailed
 information about a rule's changes, see the rule's description page.
 
+[float]
+=== 8.6.0
+
 [float]
 === 8.5.0
 

docs/detections/prebuilt-rules/rule-desc-index.asciidoc

@@ -358,6 +358,7 @@ include::rule-details/multi-factor-authentication-disabled-for-an-azure-user.asc
 include::rule-details/multiple-logon-failure-followed-by-logon-success.asciidoc[]
 include::rule-details/multiple-logon-failure-from-the-same-source-address.asciidoc[]
 include::rule-details/multiple-vault-web-credentials-read.asciidoc[]
+include::rule-details/my-first-rule.asciidoc[]
 include::rule-details/ntds-or-sam-database-file-copied.asciidoc[]
 include::rule-details/namespace-manipulation-using-unshare.asciidoc[]
 include::rule-details/netcat-network-activity.asciidoc[]

docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-an-okta-group.asciidoc

@@ -35,11 +35,11 @@ Detects when an administrator role is assigned to an Okta group. An adversary ma
 * SecOps
 * Monitoring
 
-*Version*: 100 (<<administrator-privileges-assigned-to-an-okta-group-history, version history>>)
+*Version*: 101 (<<administrator-privileges-assigned-to-an-okta-group-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -82,6 +82,9 @@ event.dataset:okta.system and event.action:group.privilege.grant
 [[administrator-privileges-assigned-to-an-okta-group-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/administrator-role-assigned-to-an-okta-user.asciidoc

@@ -34,11 +34,11 @@ Identifies when an administrator role is assigned to an Okta user. An adversary
 * Monitoring
 * Continuous Monitoring
 
-*Version*: 100 (<<administrator-role-assigned-to-an-okta-user-history, version history>>)
+*Version*: 101 (<<administrator-role-assigned-to-an-okta-user-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -82,6 +82,9 @@ event.action:user.account.privilege.grant
 [[administrator-role-assigned-to-an-okta-user-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/adversary-behavior-detected-elastic-endgame.asciidoc

@@ -40,8 +40,8 @@ Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon i
 [source,js]
 ----------------------------------
 event.kind:alert and event.module:endgame and
-(event.action:behavior_protection_event or
-endgame.event_subtype_full:behavior_protection_event)
+(event.action:rules_engine_event or
+endgame.event_subtype_full:rules_engine_event)
 ----------------------------------
 
 

docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc

@@ -34,11 +34,11 @@ Detects when a Google marketplace application is added to the Google Workspace d
 * Configuration Audit
 * Persistence
 
-*Version*: 100 (<<application-added-to-google-workspace-domain-history, version history>>)
+*Version*: 101 (<<application-added-to-google-workspace-domain-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -85,6 +85,9 @@ event.category:iam and event.action:ADD_APPLICATION
 [[application-added-to-google-workspace-domain-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/application-removed-from-blocklist-in-google-workspace.asciidoc

@@ -34,10 +34,12 @@ Google Workspace administrators may be aware of malicious applications within th
 * Configuration Audit
 * Impair Defenses
 
-*Version*: 1
+*Version*: 2 (<<application-removed-from-blocklist-in-google-workspace-history, version history>>)
 
 *Added ({stack} release)*: 8.5.0
 
+*Last modified ({stack} release)*: 8.6.0
+
 *Rule authors*: Elastic
 
 *Rule license*: Elastic License v2
@@ -86,3 +88,10 @@ and google_workspace.admin.new_value: *allowed*true*
 ** Name: Impair Defenses
 ** ID: T1562
 ** Reference URL: https://attack.mitre.org/techniques/T1562/
+
+[[application-removed-from-blocklist-in-google-workspace-history]]
+==== Rule version history
+
+Version 2 (8.6.0 release)::
+* Formatting only
+

docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc

@@ -34,11 +34,11 @@ Detects attempts to create an Okta API token. An adversary may create an Okta AP
 * SecOps
 * Monitoring
 
-*Version*: 100 (<<attempt-to-create-okta-api-token-history, version history>>)
+*Version*: 101 (<<attempt-to-create-okta-api-token-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -81,6 +81,9 @@ event.dataset:okta.system and event.action:system.api_token.create
 [[attempt-to-create-okta-api-token-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-application.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to deactivate an Okta application. An adversary may attempt to
 * Monitoring
 * Impact
 
-*Version*: 100 (<<attempt-to-deactivate-an-okta-application-history, version history>>)
+*Version*: 101 (<<attempt-to-deactivate-an-okta-application-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -84,6 +84,9 @@ event.action:application.lifecycle.deactivate
 [[attempt-to-deactivate-an-okta-application-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-network-zone.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to deactivate an Okta network zone. Okta network zones can be c
 * Network Security
 * Defense Evasion
 
-*Version*: 100 (<<attempt-to-deactivate-an-okta-network-zone-history, version history>>)
+*Version*: 101 (<<attempt-to-deactivate-an-okta-network-zone-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +83,9 @@ event.dataset:okta.system and event.action:zone.deactivate
 [[attempt-to-deactivate-an-okta-network-zone-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy-rule.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to deactivate a rule within an Okta policy. An adversary may at
 * Identity and Access
 * Defense Evasion
 
-*Version*: 100 (<<attempt-to-deactivate-an-okta-policy-rule-history, version history>>)
+*Version*: 101 (<<attempt-to-deactivate-an-okta-policy-rule-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +83,9 @@ event.dataset:okta.system and event.action:policy.rule.deactivate
 [[attempt-to-deactivate-an-okta-policy-rule-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to deactivate an Okta policy. An adversary may attempt to deact
 * Monitoring
 * Defense Evasion
 
-*Version*: 100 (<<attempt-to-deactivate-an-okta-policy-history, version history>>)
+*Version*: 101 (<<attempt-to-deactivate-an-okta-policy-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +83,9 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate
 [[attempt-to-deactivate-an-okta-policy-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc

@@ -34,11 +34,11 @@ Detects attempts to deactivate multi-factor authentication (MFA) for an Okta use
 * SecOps
 * Identity and Access
 
-*Version*: 100 (<<attempt-to-deactivate-mfa-for-an-okta-user-account-history, version history>>)
+*Version*: 101 (<<attempt-to-deactivate-mfa-for-an-okta-user-account-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -81,6 +81,9 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate
 [[attempt-to-deactivate-mfa-for-an-okta-user-account-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-application.asciidoc

@@ -35,11 +35,11 @@ Detects attempts to delete an Okta application. An adversary may attempt to modi
 * Monitoring
 * Impact
 
-*Version*: 100 (<<attempt-to-delete-an-okta-application-history, version history>>)
+*Version*: 101 (<<attempt-to-delete-an-okta-application-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +83,9 @@ event.action:application.lifecycle.delete
 [[attempt-to-delete-an-okta-application-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-network-zone.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to delete an Okta network zone. Okta network zones can be confi
 * Network Security
 * Defense Evasion
 
-*Version*: 100 (<<attempt-to-delete-an-okta-network-zone-history, version history>>)
+*Version*: 101 (<<attempt-to-delete-an-okta-network-zone-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +83,9 @@ event.dataset:okta.system and event.action:zone.delete
 [[attempt-to-delete-an-okta-network-zone-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy-rule.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to delete a rule within an Okta policy. An adversary may attemp
 * Monitoring
 * Defense Evasion
 
-*Version*: 100 (<<attempt-to-delete-an-okta-policy-rule-history, version history>>)
+*Version*: 101 (<<attempt-to-delete-an-okta-policy-rule-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +83,9 @@ event.dataset:okta.system and event.action:policy.rule.delete
 [[attempt-to-delete-an-okta-policy-rule-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to delete an Okta policy. An adversary may attempt to delete an
 * Monitoring
 * Defense Evasion
 
-*Version*: 100 (<<attempt-to-delete-an-okta-policy-history, version history>>)
+*Version*: 101 (<<attempt-to-delete-an-okta-policy-history, version history>>)
 
 *Added ({stack} release)*: 7.9.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -83,6 +83,9 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete
 [[attempt-to-delete-an-okta-policy-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only
 

docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-application.asciidoc

@@ -36,11 +36,11 @@ Detects attempts to modify an Okta application. An adversary may attempt to modi
 * Monitoring
 * Impact
 
-*Version*: 100 (<<attempt-to-modify-an-okta-application-history, version history>>)
+*Version*: 101 (<<attempt-to-modify-an-okta-application-history, version history>>)
 
 *Added ({stack} release)*: 7.11.0
 
-*Last modified ({stack} release)*: 8.5.0
+*Last modified ({stack} release)*: 8.6.0
 
 *Rule authors*: Elastic
 
@@ -80,6 +80,9 @@ event.action:application.lifecycle.update
 [[attempt-to-modify-an-okta-application-history]]
 ==== Rule version history
 
+Version 101 (8.6.0 release)::
+* Formatting only
+
 Version 100 (8.5.0 release)::
 * Formatting only