[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules

rules/azure/initial_access_azure_active_directory_high_risk_signin.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/01/04"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic", "Willem D'Haese"]
@@ -26,6 +26,7 @@ risk_score = 73
 rule_id = "37994bca-0611-4500-ab67-5588afe73b77"
 severity = "high"
 tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''

rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/cross-platform/discovery_security_software_grep.toml

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/12/20"
 maturity = "production"
-updated_date = "2020/12/20"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as
-Antivirus or Host Firewall details.
+Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus
+or Host Firewall details.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "auditbeat-*"]
@@ -18,6 +18,7 @@ risk_score = 47
 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -68,3 +69,4 @@ reference = "https://attack.mitre.org/techniques/T1518/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml

@@ -1,14 +1,11 @@
 [metadata]
 creation_date = "2021/01/12"
 maturity = "production"
-updated_date = "2021/01/12"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
-description = """
-Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and
-Linux.
-"""
+description = "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux."
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
@@ -19,8 +16,10 @@ risk_score = 73
 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*
 '''
+

rules/cross-platform/execution_python_script_in_cmdline.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "development"
-updated_date = "2021/01/13"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "macOS", "Windows", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/cross-platform/execution_revershell_via_shell_cmd.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2020/01/07"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
@@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1059/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/cross-platform/execution_suspicious_jar_child_process.toml

@@ -18,6 +18,7 @@ risk_score = 47
 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''

rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml

@@ -1,15 +1,17 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/12/21"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
 description = """
 Adversaries may modify the standard authentication module for persistence via patching the normal authorization process
 or modifying the login configuration to allow unauthorized access or elevate privileges.
 """
-false_positives = ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."]
+false_positives = [
+    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
+]
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
@@ -25,6 +27,7 @@ risk_score = 47
 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Credential Access", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -46,13 +49,15 @@ event.category:file and event.type:change and
     )
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1543"
 name = "Create or Modify System Process"
 reference = "https://attack.mitre.org/techniques/T1543/"
 
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
@@ -69,3 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1556/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/15"
 maturity = "production"
-updated_date = "2021/01/15"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 21
 rule_id = "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -53,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1053/003/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/cross-platform/persistence_shell_profile_modification.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/01/19"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 47
 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -69,3 +70,4 @@ reference = "https://attack.mitre.org/techniques/T1546/004/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/12/22"
 maturity = "production"
-updated_date = "2020/12/22"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
 description = """
-The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication.
-Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
+The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key
+authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -18,6 +18,7 @@ risk_score = 47
 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1098/004/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/26"
 maturity = "production"
-updated_date = "2021/01/26"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -18,6 +18,7 @@ risk_score = 73
 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -37,6 +38,7 @@ name = "Sudo and Sudo Caching"
 reference = "https://attack.mitre.org/techniques/T1548/003/"
 
 
+
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"

rules/linux/credential_access_collection_sensitive_files.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/22"
 maturity = "production"
-updated_date = "2020/12/22"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ risk_score = 47
 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -93,3 +94,4 @@ reference = "https://attack.mitre.org/techniques/T1560/001/"
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
+

rules/linux/credential_access_ssh_backdoor_log.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/12/21"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 73
 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
@@ -83,3 +84,4 @@ reference = "https://attack.mitre.org/techniques/T1554/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/linux/initial_access_login_failures.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2020/07/08"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -10,11 +10,14 @@ index = ["auditbeat-*"]
 language = "kuery"
 license = "Elastic License"
 name = "Auditd Max Failed Login Attempts"
-references = ["https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"]
+references = [
+    "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574",
+]
 risk_score = 47
 rule_id = "fb9937ce-7e21-46bf-831d-1ad96eac674d"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/linux/initial_access_login_location.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2020/07/08"
+updated_date = "2021/02/11"
 
 [rule]
 author = ["Elastic"]
@@ -10,11 +10,14 @@ index = ["auditbeat-*"]
 language = "kuery"
 license = "Elastic License"
 name = "Auditd Login from Forbidden Location"
-references = ["https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"]
+references = [
+    "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412",
+]
 risk_score = 73
 rule_id = "cab4f01c-793f-4a54-a03e-e5d85b96d7af"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
@@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+