[Docs][SIEM] Updates rule changeling for 7.6.2 (elastic#966) (elastic…

…#970) * updates rules version * and the rule itself
benskelker · Apr 1, 2020 · 2773656 · 2773656
1 parent f96bd5d
commit 2773656
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/docs/en/siem/prebuilt-rules-changelog.asciidoc b/docs/en/siem/prebuilt-rules-changelog.asciidoc
@@ -5,6 +5,21 @@ beta[]
 
 This section lists all changes to prebuilt rules:
 
+[[adobe-hijack-persistence-history]]
+[%collapsible]
+.<<adobe-hijack-persistence>>
+====
+[width="100%",options="header"]
+|==============================================
+|Version |Release |Change
+|2
+|7.6.2
+|Fixed typo in rule query (from `not process.name:msiexeec.exe` to
+`not process.name:msiexec.exe`).
+
+|==============================================
+====
+
 [[dns-activity-to-the-internet-history]]
 [%collapsible]
 .<<dns-activity-to-the-internet>>

diff --git a/docs/en/siem/prebuilt-rules-reference.asciidoc b/docs/en/siem/prebuilt-rules-reference.asciidoc
@@ -14,7 +14,7 @@ the user in an attempt to evade detection. |[Elastic] [Windows] |7.6.0 |1
 
 |<<adobe-hijack-persistence, Adobe Hijack Persistence>> |Detects the creation 
 of an executable file or files that will be automatically run by Acrobat Reader 
-when it starts.  |[Elastic] [Windows] |7.6.0 |1
+when it starts.  |[Elastic] [Windows] |7.6.2 |2 <<adobe-hijack-persistence-history, Version history>>
 
 |<<adversary-behavior-detected-elastic-endpoint, Adversary Behavior - Detected - Elastic Endpoint>> |Elastic Endpoint detected an Adversary Behavior. Click 
 the Elastic Endpoint icon in the `event.module` column or the link in the 

diff --git a/docs/en/siem/rule-details/adobe-hijack-persistence.asciidoc b/docs/en/siem/rule-details/adobe-hijack-persistence.asciidoc
@@ -23,10 +23,12 @@ run by Acrobat Reader when it starts.
 * Elastic
 * Windows
 
-*Rule version*: 1
+*Rule version*: 2 (<<adobe-hijack-persistence-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
+*Last modified ({stack} release)*: 7.6.2
+
 ==== Rule query
 
 
@@ -35,7 +37,7 @@ run by Acrobat Reader when it starts.
 file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader
 DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat
 Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
-(rule: FileCreate)" and not process.name:msiexeec.exe
+(rule: FileCreate)" and not process.name:msiexec.exe
 ----------------------------------
 
 ==== Threat mapping