[Docs][SIEM] Updates rule changeling for 7.6.2 (#966) (#971)

benskelker · web-flow · commit c6201699c2cb · 2020-04-01T21:42:36.000+03:00
* updates rules version

* and the rule itself
diff --git a/docs/en/siem/prebuilt-rules-changelog.asciidoc b/docs/en/siem/prebuilt-rules-changelog.asciidoc
@@ -5,6 +5,21 @@ beta[]
 
 This section lists all changes to prebuilt rules:
 
+[[adobe-hijack-persistence-history]]
+[%collapsible]
+.<<adobe-hijack-persistence>>
+====
+[width="100%",options="header"]
+|==============================================
+|Version |Release |Change
+|2
+|7.6.2
+|Fixed typo in rule query (from `not process.name:msiexeec.exe` to
+`not process.name:msiexec.exe`).
+
+|==============================================
+====
+
 [[dns-activity-to-the-internet-history]]
 [%collapsible]
 .<<dns-activity-to-the-internet>>
diff --git a/docs/en/siem/prebuilt-rules-reference.asciidoc b/docs/en/siem/prebuilt-rules-reference.asciidoc
@@ -14,7 +14,7 @@ the user in an attempt to evade detection. |[Elastic] [Windows] |7.6.0 |1
 
 |<<adobe-hijack-persistence, Adobe Hijack Persistence>> |Detects the creation 
 of an executable file or files that will be automatically run by Acrobat Reader 
-when it starts.  |[Elastic] [Windows] |7.6.0 |1
+when it starts.  |[Elastic] [Windows] |7.6.2 |2 <<adobe-hijack-persistence-history, Version history>>
 
 |<<adversary-behavior-detected-elastic-endpoint, Adversary Behavior - Detected - Elastic Endpoint>> |Elastic Endpoint detected an Adversary Behavior. Click 
 the Elastic Endpoint icon in the `event.module` column or the link in the 
diff --git a/docs/en/siem/rule-details/adobe-hijack-persistence.asciidoc b/docs/en/siem/rule-details/adobe-hijack-persistence.asciidoc
@@ -23,10 +23,12 @@ run by Acrobat Reader when it starts.
 * Elastic
 * Windows
 
-*Rule version*: 1
+*Rule version*: 2 (<<adobe-hijack-persistence-history, version history>>)
 
 *Added ({stack} release)*: 7.6.0
 
+*Last modified ({stack} release)*: 7.6.2
+
 ==== Rule query
 
 
@@ -35,7 +37,7 @@ run by Acrobat Reader when it starts.
 file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader
 DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat
 Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created
-(rule: FileCreate)" and not process.name:msiexeec.exe
+(rule: FileCreate)" and not process.name:msiexec.exe
 ----------------------------------
 
 ==== Threat mapping
