[Rule Tuning] Remove timestamp_override for endgame-* promotion rules (…

…#951) * remove timestamp_override from endgame promotion rules * updated version.lock to previous state for endgame promotion rule changes * fix incorrect year in updated_date
elastic · Feb 17, 2021 · 90a9320 · 90a9320
1 parent 61deed3
commit 90a9320
Show file tree

Hide file tree

Showing 360 changed files with 389 additions and 404 deletions.
diff --git a/etc/version.lock.json b/etc/version.lock.json
@@ -76,8 +76,8 @@
   },
   "0a97b20f-4144-49ea-be32-b540ecc445de": {
     "rule_name": "Malware - Detected - Endpoint Security",
-    "sha256": "d4b0108faa80fc35468cc5cfbbaf48b4db4dad7d1373cf48388752568eb83c98",
-    "version": 5
+    "sha256": "adcd895329cc4d1c41bc4bf8b75404c838823731713fa11f3d3b671dd24cc31d",
+    "version": 4
   },
   "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
     "rule_name": "Anomalous Windows Process Creation",
@@ -296,8 +296,8 @@
   },
   "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
     "rule_name": "Exploit - Detected - Endpoint Security",
-    "sha256": "81850f386eb8a302e85e9d36c472f159c4db6f7df7068bd0657b7a4bed6687b4",
-    "version": 5
+    "sha256": "83322d535ddc84dec40b7a90e9738726df2bd27ac3cdf96e7b9ebd967560bd25",
+    "version": 4
   },
   "201200f1-a99b-43fb-88ed-f65a45c4972c": {
     "rule_name": "Suspicious .NET Code Compilation",
@@ -371,8 +371,8 @@
   },
   "2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
     "rule_name": "Exploit - Prevented - Endpoint Security",
-    "sha256": "8025e0d14b4ac2c3698276722c6310fd134681c4f71ee1f624681aae18e7940b",
-    "version": 5
+    "sha256": "4a04fd5b4099a19a093d301762f68352221eca036db21c9b9b2e388dc5c56a9e",
+    "version": 4
   },
   "28896382-7d4f-4d50-9b72-67091901fd26": {
     "rule_name": "Suspicious Process from Conhost",
@@ -541,8 +541,8 @@
   },
   "3b382770-efbb-44f4-beed-f5e0a051b895": {
     "rule_name": "Malware - Prevented - Endpoint Security",
-    "sha256": "11be6e8247af54541336c5e12c8a3423afd6884940d4b7f50160abb215a2337b",
-    "version": 5
+    "sha256": "49bf69bac026013bdfd88dbb0ebbf5f2cf01d0bcc8dbdc00d760cc4c1ecf6daf",
+    "version": 4
   },
   "3b47900d-e793-49e8-968f-c90dc3526aa1": {
     "rule_name": "Unusual Parent Process for cmd.exe",
@@ -606,8 +606,8 @@
   },
   "453f659e-0429-40b1-bfdb-b6957286e04b": {
     "rule_name": "Permission Theft - Prevented - Endpoint Security",
-    "sha256": "abc8e7c3bcc3a15d3c3f0f751333d1273f45b2d2fec6908c64af0132f529c07d",
-    "version": 5
+    "sha256": "de91fb70ece5386bf2fe4d065f50aa219516eff015f22534b5cd1b69064fe002",
+    "version": 4
   },
   "45d273fb-1dca-457d-9855-bcb302180c21": {
     "rule_name": "Encrypting Files with WinRar or 7z",
@@ -751,8 +751,8 @@
   },
   "571afc56-5ed9-465d-a2a9-045f099f6e7e": {
     "rule_name": "Credential Dumping - Detected - Endpoint Security",
-    "sha256": "26fa244a5b78452aa61775e3ee2894c6b1bd109cef9c2af649e4dc372ccb5820",
-    "version": 5
+    "sha256": "bdc750ae44da6954d429af1c78db084f915fe63db463a2e084107bd4b7725a73",
+    "version": 4
   },
   "581add16-df76-42bb-af8e-c979bfb39a59": {
     "rule_name": "Deleting Backup Catalogs with Wbadmin",
@@ -1046,8 +1046,8 @@
   },
   "77a3c3df-8ec4-4da4-b758-878f551dee69": {
     "rule_name": "Adversary Behavior - Detected - Endpoint Security",
-    "sha256": "feb872802e7782ee07c3ce2339461810c274ee659c348fc97732f92049821215",
-    "version": 5
+    "sha256": "60af511ccd3ed511fec254c879279d5090ca084efa9c11bc4fb01690450b7180",
+    "version": 4
   },
   "785a404b-75aa-4ffd-8be5-3334a5a544dd": {
     "rule_name": "Application Added to Google Workspace Domain",
@@ -1111,8 +1111,8 @@
   },
   "80c52164-c82a-402c-9964-852533d58be1": {
     "rule_name": "Process Injection - Detected - Endpoint Security",
-    "sha256": "4f1de68d87322c3c6461f6185af8a92e1a0bf4c9cf15482acb0d5fc54aee9ad2",
-    "version": 5
+    "sha256": "126b716fe963842ff8406842f8a101953a04e7e9f167e578094712fa6b006b00",
+    "version": 4
   },
   "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
     "rule_name": "Persistence via Kernel Module Modification",
@@ -1186,8 +1186,8 @@
   },
   "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
     "rule_name": "Ransomware - Detected - Endpoint Security",
-    "sha256": "cc1ace9a3ad8ce73ec1f8770f4e28eeff0ef3cd0a16c05667446e6b3245ead12",
-    "version": 5
+    "sha256": "afa86e4d621fd2e511406e86b4ae9c07348c4471320a9ef65b26e0643c34e133",
+    "version": 4
   },
   "8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
     "rule_name": "Azure Automation Runbook Deleted",
@@ -1321,8 +1321,8 @@
   },
   "990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
     "rule_name": "Process Injection - Prevented - Endpoint Security",
-    "sha256": "022423bc49a60ec9e5e498ebbcb53aefd560e79e0b2f3a0d1ab3b523a69c413b",
-    "version": 5
+    "sha256": "92c674029d3c058f18ec3fafbf91a3c2443023a6a18db9c3118cbf6d4138388d",
+    "version": 4
   },
   "9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
     "rule_name": "Endpoint Security",
@@ -1711,8 +1711,8 @@
   },
   "c0be5f31-e180-48ed-aa08-96b36899d48f": {
     "rule_name": "Credential Manipulation - Detected - Endpoint Security",
-    "sha256": "8cc4996c8b4f2215ed4f55e655ee2885255470bc1a1ad5b9ca9ddca5b67d360b",
-    "version": 5
+    "sha256": "3e27a7e7fda1be83a083f51ec320e2c49e41a3048660137a7d551e30b8c997c3",
+    "version": 4
   },
   "c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
     "rule_name": "Microsoft IIS Connection Strings Decryption",
@@ -1736,8 +1736,8 @@
   },
   "c3167e1b-f73c-41be-b60b-87f4df707fe3": {
     "rule_name": "Permission Theft - Detected - Endpoint Security",
-    "sha256": "01ef32f083b0567b88de07eb3e0d12f44d921b856a867438182a18a915ce6df9",
-    "version": 5
+    "sha256": "7b185258dbbaa2a9837362d5bb5f7551cfdf689ccbd0119140c1155c581dd80c",
+    "version": 4
   },
   "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
     "rule_name": "Mounting Hidden or WebDav Remote Shares",
@@ -1801,8 +1801,8 @@
   },
   "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
     "rule_name": "Credential Manipulation - Prevented - Endpoint Security",
-    "sha256": "5e44b1db0cda0ab4d0164d299c3ab1d19040ef76742cc689a565a1f1d05f419a",
-    "version": 5
+    "sha256": "0734e9a063c5bbf35c5b4b73c95544f1399e648c12d6396698015de1d5d392ef",
+    "version": 4
   },
   "ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
     "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
@@ -1981,8 +1981,8 @@
   },
   "db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
     "rule_name": "Credential Dumping - Prevented - Endpoint Security",
-    "sha256": "d2cc502d59bfbd70f4141daac53c9d1b5f4bc02cfab59c4332124854a1d87ec2",
-    "version": 5
+    "sha256": "ce8fd451c2c3bc3c5f9b35f212dc0b75348bb07d1c1c4c1559e575150874345f",
+    "version": 4
   },
   "dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
     "rule_name": "Volume Shadow Copy Deletion via WMIC",
@@ -2066,8 +2066,8 @@
   },
   "e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
     "rule_name": "Ransomware - Prevented - Endpoint Security",
-    "sha256": "3eaf582284975d232f4419f32b8f6e2b383e7c68328a779e7da46c7feebbccb1",
-    "version": 5
+    "sha256": "911ba16663efb30078217f771edbd6e7356f869662483fac274b09c8097580cb",
+    "version": 4
   },
   "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
     "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",

diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Nick Jones", "Elastic"]

diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/26"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/16"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/28"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/27"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/09"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/24"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/18"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/05"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2020/02/16"
+updated_date = "2021/02/16"
 
 [rule]
 author = ["Elastic"]