From e374ff5ab5c8a22857707f5b39f00b7b6fb4523e Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 21 Oct 2025 14:58:47 +0100
Subject: [PATCH 1/3] Update impact_high_freq_file_renames_by_kernel.toml

---
 rules/windows/impact_high_freq_file_renames_by_kernel.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
index 060f9e416b5..6d0b6cfd381 100644
--- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml
+++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/10/21"
 
 [rule]
 author = ["Elastic"]
@@ -75,10 +75,10 @@ from logs-endpoint.events.file-* metadata _id, _version, _index
 // truncate the timestamp to a 60-second window
 | eval Esql.time_window_date_trunc = date_trunc(60 seconds, @timestamp)
 
-| keep file.path, file.name, process.entity_id, Esql.time_window_date_trunc
+| keep file.path, file.name, process.entity_id, Esql.time_window_date_trunc, host.name, host.ip
 
 // filter for same file name dropped in at least 3 unique paths by the System virtual process
-| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path)  by process.entity_id , file.name, Esql.time_window_date_trunc
+| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ips = values(host.ip) by host.name, process.entity_id , file.name, Esql.time_window_date_trunc
 | where Esql.file_path_count_distinct >= 3
 '''
 

From 9a360c24c9e0456abb4fb2eec154c35a38fe61fa Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:13:33 +0100
Subject: [PATCH 2/3] Update impact_high_freq_file_renames_by_kernel.toml

---
 rules/windows/impact_high_freq_file_renames_by_kernel.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
index 6d0b6cfd381..d8e98a8ec9f 100644
--- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml
+++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -75,10 +75,10 @@ from logs-endpoint.events.file-* metadata _id, _version, _index
 // truncate the timestamp to a 60-second window
 | eval Esql.time_window_date_trunc = date_trunc(60 seconds, @timestamp)
 
-| keep file.path, file.name, process.entity_id, Esql.time_window_date_trunc, host.name, host.ip
+| keep user.id, user.name, file.path, file.name, process.entity_id, Esql.time_window_date_trunc, host.name, host.ip
 
 // filter for same file name dropped in at least 3 unique paths by the System virtual process
-| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ips = values(host.ip) by host.name, process.entity_id , file.name, Esql.time_window_date_trunc
+| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ips = values(host.ip) by host.name, user.name, user.id, process.entity_id , file.name, Esql.time_window_date_trunc
 | where Esql.file_path_count_distinct >= 3
 '''
 

From 8deb2be98e45d54bd75e6d7403f8a5a085e244b3 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 21 Oct 2025 15:57:14 +0100
Subject: [PATCH 3/3] Update
 rules/windows/impact_high_freq_file_renames_by_kernel.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 rules/windows/impact_high_freq_file_renames_by_kernel.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
index d8e98a8ec9f..6ffad571ee2 100644
--- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml
+++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -78,7 +78,7 @@ from logs-endpoint.events.file-* metadata _id, _version, _index
 | keep user.id, user.name, file.path, file.name, process.entity_id, Esql.time_window_date_trunc, host.name, host.ip
 
 // filter for same file name dropped in at least 3 unique paths by the System virtual process
-| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ips = values(host.ip) by host.name, user.name, user.id, process.entity_id , file.name, Esql.time_window_date_trunc
+| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ip_values = values(host.ip) by host.name, user.name, user.id, process.entity_id , file.name, Esql.time_window_date_trunc
 | where Esql.file_path_count_distinct >= 3
 '''