[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-seq…

…uence EQL rules (#948) * [Rule Tuning] Add timestamp_override field to 7.11.0 rules * Lock versions for 7.11.2 rules
elastic · Feb 16, 2021 · 61deed3 · 61deed3
1 parent 66be828
commit 61deed3
Show file tree

Hide file tree

Showing 360 changed files with 1,640 additions and 1,152 deletions.
diff --git a/etc/version.lock.json b/etc/version.lock.json
diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ risk_score = 47
 rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e"
 severity = "medium"
 tags = ["Elastic", "APM"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ risk_score = 47
 rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef"
 severity = "medium"
 tags = ["Elastic", "APM"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 47
 rule_id = "43303fd4-4839-4e48-b2b2-803ab060758d"
 severity = "medium"
 tags = ["Elastic", "APM"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ risk_score = 47
 rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
 severity = "medium"
 tags = ["Elastic", "APM"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 21
 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
 severity = "low"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2020/12/17"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 21
 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
 severity = "low"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -30,6 +30,7 @@ risk_score = 73
 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
 severity = "high"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
 severity = "medium"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -47,6 +48,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -32,6 +32,7 @@ risk_score = 47
 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
 severity = "medium"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -51,6 +52,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 47
 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
 severity = "medium"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -47,6 +48,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/26"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -32,6 +32,7 @@ risk_score = 47
 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
 severity = "medium"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -51,6 +52,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/16"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 73
 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
 severity = "high"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -47,6 +48,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -31,6 +31,7 @@ risk_score = 73
 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
 severity = "high"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -50,6 +51,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -33,6 +33,7 @@ risk_score = 47
 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
 severity = "medium"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -52,6 +53,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/28"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -31,6 +31,7 @@ risk_score = 73
 rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
 severity = "high"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -50,6 +51,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/27"
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -31,6 +31,7 @@ risk_score = 21
 rule_id = "227dc608-e558-43d9-b521-150772250bae"
 severity = "low"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 47
 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
 severity = "medium"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -47,6 +48,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/09"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"
 
 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 47
 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
 severity = "medium"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -47,6 +48,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"