[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368)

* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -35,6 +35,7 @@ rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
 severity = "high"
 tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.category:process and event.type:start and

rules/cross-platform/threat_intel_indicator_match_address.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2023/10/19"
+updated_date = "2024/01/17"
 min_stack_comments = """
 Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
 general rules.
@@ -49,7 +49,7 @@ note = """## Triage and Analysis
 
 ### Investigating Threat Intel IP Address Indicator Match
 
-Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. 
+Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.
 
 Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.
 
@@ -62,7 +62,7 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe
 
 - Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.
 - Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:
-  - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. 
+  - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
   - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.
 - Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 - Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
@@ -121,6 +121,7 @@ severity = "critical"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
+timestamp_override = "event.ingested"
 type = "threat_match"
 
 threat_index = ["filebeat-*", "logs-ti_*"]

rules/cross-platform/threat_intel_indicator_match_hash.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2023/10/19"
+updated_date = "2024/01/17"
 min_stack_comments = """
 Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
 general rules.
@@ -49,7 +49,7 @@ note = """## Triage and Analysis
 
 ### Investigating Threat Intel Hash Indicator Match
 
-Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. 
+Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.
 
 Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.
 
@@ -120,6 +120,7 @@ severity = "critical"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
+timestamp_override = "event.ingested"
 type = "threat_match"
 
 threat_index = ["filebeat-*", "logs-ti_*"]
@@ -128,7 +129,7 @@ threat_language = "kuery"
 
 threat_query = '''
 @timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and
-  (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and 
+  (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and
   not labels.is_ioc_transform_source:"true"
 '''
 

rules/cross-platform/threat_intel_indicator_match_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2023/10/19"
+updated_date = "2024/01/17"
 min_stack_comments = """
 Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
 general rules.
@@ -49,7 +49,7 @@ note = """## Triage and Analysis
 
 ### Investigating Threat Intel Windows Registry Indicator Match
 
-Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. 
+Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.
 
 Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.
 
@@ -115,6 +115,7 @@ severity = "critical"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
+timestamp_override = "event.ingested"
 type = "threat_match"
 
 threat_index = ["filebeat-*", "logs-ti_*"]

rules/cross-platform/threat_intel_indicator_match_url.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2023/10/19"
+updated_date = "2024/01/17"
 min_stack_comments = """
 Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
 general rules.
@@ -49,7 +49,7 @@ note = """## Triage and Analysis
 
 ### Investigating Threat Intel URL Indicator Match
 
-Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. 
+Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.
 
 Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.
 
@@ -62,7 +62,7 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul
 
 - Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:
   - Identify the type of malicious activity related to the URL (phishing, malware, etc.).
-  - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. 
+  - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
   - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.
   - If dealing with a phishing incident:
     - Contact the user to gain more information around the delivery method, information sent, etc.
@@ -124,6 +124,7 @@ severity = "critical"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
 timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
+timestamp_override = "event.ingested"
 type = "threat_match"
 
 threat_index = ["filebeat-*", "logs-ti_*"]

rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -79,6 +79,7 @@ tags = [
     "Tactic: Credential Access"
 ]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:aws.cloudtrail and

rules/integrations/aws/credential_access_root_console_failure_brute_force.toml

@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/24"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -33,6 +33,7 @@ rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
 severity = "high"
 tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure

rules/integrations/beaconing/command_and_control_beaconing.toml

@@ -4,7 +4,7 @@ integration = ["beaconing", "endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "Beaconing package updates and support"
 min_stack_version = "8.10.1"
-updated_date = "2023/12/12"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ language = "kuery"
 license = "Elastic License v2"
 name = "Statistical Model Detected C2 Beaconing Activity"
 setup = """
-The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.   
+The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
 
 ### Network Beaconing Identification Setup
 The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
@@ -46,6 +46,7 @@ rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6"
 severity = "low"
 tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 beacon_stats.is_beaconing: true

rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

@@ -4,7 +4,7 @@ integration = ["beaconing", "endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "Beaconing package updates and support"
 min_stack_version = "8.10.1"
-updated_date = "2023/12/12"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ language = "kuery"
 license = "Elastic License v2"
 name = "Statistical Model Detected C2 Beaconing Activity with High Confidence"
 setup = """
-The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.   
+The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
 
 ### Network Beaconing Identification Setup
 The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
@@ -46,6 +46,7 @@ rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93"
 severity = "low"
 tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 beacon_stats.beaconing_score: 3

rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml

@@ -4,7 +4,7 @@ integration = ["o365"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 
 [rule]
 author = ["Elastic", "Willem D'Haese", "Austin Songer"]
@@ -32,6 +32,7 @@ rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
 severity = "high"
 tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and

rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml

@@ -4,7 +4,7 @@ integration = ["o365"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -32,6 +32,7 @@ rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
 severity = "high"
 tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and

rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml

@@ -4,7 +4,7 @@ integration = ["o365"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -31,6 +31,7 @@ rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0"
 severity = "high"
 tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"

rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

@@ -4,7 +4,7 @@ integration = ["okta"]
 maturity = "production"
 min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
 min_stack_version = "8.10.0"
-updated_date = "2023/10/24"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -65,6 +65,7 @@ rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49"
 severity = "medium"
 tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:okta.system and event.action:user.account.lock

rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml

@@ -4,7 +4,7 @@ integration = ["okta"]
 maturity = "production"
 min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
 min_stack_version = "8.10.0"
-updated_date = "2023/10/24"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -65,6 +65,7 @@ rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
 severity = "medium"
 tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:okta.system and event.category:authentication and event.outcome:failure

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml

@@ -4,7 +4,7 @@ integration = ["okta"]
 maturity = "production"
 min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
 min_stack_version = "8.10.0"
-updated_date = "2023/10/24"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -65,6 +65,7 @@ rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457"
 severity = "medium"
 tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.dataset:okta.system and

rules/linux/impact_process_kill_threshold.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/01/17"
 
 [rule]
 author = ["Elastic"]
@@ -79,6 +79,7 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f"

rules/linux/persistence_message_of_the_day_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/13"
+updated_date = "2024/01/05"
 
 [transform]
 [[transform.osquery]]
@@ -81,7 +81,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/`
 - Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
   - $osquery_3
 - Investigate other alerts associated with the user/host during the past 48 hours.
-- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. 
+- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.
   - If scripts or executables were dropped, retrieve the files and determine if they are malicious:
     - Use a private sandboxed malware analysis system to perform analysis.
       - Observe and collect information about the following activities:
@@ -158,8 +158,9 @@ tags = [
         "Data Source: Elastic Defend"
         ]
 type = "new_terms"
+timestamp_override = "event.ingested"
 query = '''
-host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
+host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
 file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (
   dpkg or dockerd or rpm or executor or dnf or podman or ln
 ) and not file.extension : ("swp" or "swpx")

rules/linux/persistence_rc_script_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2024/01/05"
 
 [transform]
 [[transform.osquery]]
@@ -29,9 +29,9 @@ description = """
 This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable
 through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications,
 services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd.
-However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at 
-boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the 
-system. 
+However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at
+boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the
+system.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
@@ -42,11 +42,11 @@ note = """## Triage and analysis
 
 ### Investigating Potential Persistence Through Run Control Detected
 
-The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. 
+The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.
 
-There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. 
+There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.
 
-Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. 
+Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file.
 
 > **Note**:
 > This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
@@ -66,7 +66,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f
     - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.
 - Investigate other alerts associated with the user/host during the past 48 hours.
 - Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.
-- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. 
+- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.
   - If scripts or executables were dropped, retrieve the files and determine if they are malicious:
     - Use a private sandboxed malware analysis system to perform analysis.
       - Observe and collect information about the following activities:
@@ -80,7 +80,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f
 ### False Positive Analysis
 
 - If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.
-- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. 
+- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.
 - Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.
 
 ### Response and remediation
@@ -143,8 +143,9 @@ tags = [
         "Data Source: Elastic Defend"
         ]
 type = "new_terms"
+timestamp_override = "event.ingested"
 query = '''
-host.os.type : "linux" and event.category : "file" and 
+host.os.type : "linux" and event.category : "file" and
 event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
 file.path : "/etc/rc.local" and not process.name : (
   "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg"

rules/macos/credential_access_potential_macos_ssh_bruteforce.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/15"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -49,6 +49,7 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd

rules/network/discovery_potential_network_sweep_detected.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/22"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -30,8 +30,10 @@ tags = ["Domain: Network",
         "Use Case: Network Security Monitoring"
         ]
 type = "threshold"
+timestamp_override = "event.ingested"
+
 query = '''
-destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and 
+destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
 source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 

rules/network/discovery_potential_port_scan_detected.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/22"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -31,6 +31,8 @@ tags = ["Domain: Network",
         "Use Case: Network Security Monitoring"
         ]
 type = "threshold"
+timestamp_override = "event.ingested"
+
 query = '''
 destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''

rules/network/discovery_potential_syn_port_scan_detected.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/22"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -31,6 +31,8 @@ tags = ["Domain: Network",
         "Use Case: Network Security Monitoring"
         ]
 type = "threshold"
+timestamp_override = "event.ingested"
+
 query = '''
 destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''

rules/promotions/credential_access_endgame_cred_dumping_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
 severity = "high"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)

rules/promotions/credential_access_endgame_cred_dumping_prevented.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
 severity = "medium"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)

rules/promotions/endgame_adversary_behavior_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
 severity = "medium"
 tags = ["Data Source: Elastic Endgame"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)

rules/promotions/endgame_malware_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
 severity = "critical"
 tags = ["Data Source: Elastic Endgame"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)

rules/promotions/endgame_malware_prevented.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
 severity = "high"
 tags = ["Data Source: Elastic Endgame"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)

rules/promotions/endgame_ransomware_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
 severity = "critical"
 tags = ["Data Source: Elastic Endgame"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)

rules/promotions/endgame_ransomware_prevented.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
 severity = "high"
 tags = ["Data Source: Elastic Endgame"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)

rules/promotions/execution_endgame_exploit_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
 severity = "high"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)

rules/promotions/execution_endgame_exploit_prevented.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
 severity = "medium"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)

rules/promotions/external_alerts.toml

@@ -3,7 +3,7 @@ creation_date = "2020/07/08"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]

rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
 severity = "high"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)

rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
 severity = "medium"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)

rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
 severity = "high"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)

rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
 severity = "medium"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)

rules/promotions/privilege_escalation_endgame_process_injection_detected.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "80c52164-c82a-402c-9964-852533d58be1"
 severity = "high"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)

rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/17"
 promotion = true
 
 [rule]
@@ -24,6 +24,7 @@ rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
 severity = "medium"
 tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
 type = "query"
+timestamp_override = "event.ingested"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)

rules/windows/impact_stop_process_service_threshold.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/19"
+updated_date = "2024/01/17"
 
 [rule]
 author = ["Elastic"]
@@ -54,6 +54,7 @@ rule_id = "035889c4-2686-4583-a7df-67f89c292f2c"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 type = "threshold"
+timestamp_override = "event.ingested"
 
 query = '''
 event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and

rules_building_block/collection_linux_suspicious_clipboard_activity.toml

@@ -4,14 +4,14 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/27"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group 
-leader. Adversaries may collect data stored in the clipboard from users copying information within or between 
-applications. 
+This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group
+leader. Adversaries may collect data stored in the clipboard from users copying information within or between
+applications.
 """
 from = "now-119m"
 interval = "60m"
@@ -24,9 +24,10 @@ rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82"
 severity = "low"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend"]
 type = "new_terms"
+timestamp_override = "event.ingested"
 building_block_type = "default"
 query = '''
-event.category:process and host.os.type:"linux" and event.action:"exec" and event.type:"start" and 
+event.category:process and host.os.type:"linux" and event.action:"exec" and event.type:"start" and
 process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq")
 '''
 

rules_building_block/persistence_udev_rule_creation.toml

@@ -5,7 +5,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/10/26"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -60,9 +60,10 @@ tags = [
         "Rule Type: BBR"
         ]
 type = "new_terms"
+timestamp_override = "event.ingested"
 query = '''
-host.os.type:"linux" and event.category:"file" and 
-event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and 
+host.os.type:"linux" and event.category:"file" and
+event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and
 file.path:/lib/udev/* and process.executable:* and not (
    process.name:("dockerd" or "docker" or "dpkg" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "systemd-hwdb" or
      "podman" or "buildah") or file.extension : ("swp" or "swpx")

tests/test_all_rules.py

@@ -19,7 +19,6 @@ from semver import Version
 
 import kql
 from detection_rules import attack
-from detection_rules.beats import parse_beats_from_index
 from detection_rules.integrations import (find_latest_compatible_version,
                                           load_integrations_manifests,
                                           load_integrations_schemas)
@@ -955,88 +954,34 @@ class TestRuleTiming(BaseRuleTest):
         # kql: always require (fallback to @timestamp enabled)
         # eql:
         #   sequences: never
-        #   min_stack_version < 8.2: only where event.ingested defined (no beats) or add config to update pipeline
         #   min_stack_version >= 8.2: any - fallback to @timestamp enabled https://github.com/elastic/kibana/pull/127989
-
-        errors = {
-            'query': {
-                'errors': [],
-                'msg': 'should have the `timestamp_override` set to `event.ingested`'
-            },
-            'eql_sq': {
-                'errors': [],
-                'msg': 'cannot have the `timestamp_override` set to `event.ingested` because it uses a sequence'
-            },
-            'lt_82_eql': {
-                'errors': [],
-                'msg': 'should have the `timestamp_override` set to `event.ingested`'
-            },
-            'lt_82_eql_beats': {
-                'errors': [],
-                'msg': ('eql rules include beats indexes. Non-elastic-agent indexes do not add the `event.ingested` '
-                        'field and there is no default fallback to @timestamp for EQL rules <8.2, so the override '
-                        'should be removed or a config entry included to manually add it in a custom pipeline')
-            },
-            'gte_82_eql': {
-                'errors': [],
-                'msg': ('should have the `timestamp_override` set to `event.ingested` - default fallback to '
-                        '@timestamp was added in 8.2')
-            }
-        }
-
-        pipeline_config = ('If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions '
-                           '<8.2, events will not define `event.ingested` and default fallback for EQL rules '
-                           'was not added until 8.2, so you will need to add a custom pipeline to populate '
-                           '`event.ingested` to @timestamp for this rule to work.')
+        #  if 'event.ingested' is missing, '@timestamp' will be default
+        errors = []
 
         for rule in self.all_rules:
-            if rule.contents.data.type not in ('eql', 'query'):
-                continue
-            if rule.contents.metadata.get('integration'):
-                integrations = rule.contents.metadata.get('integration')
-                if not isinstance(integrations, list):
-                    integrations = [integrations]
-                machine_learning_packages_lower = [pkg.lower() for pkg in definitions.MACHINE_LEARNING_PACKAGES]
-                if any(tag in machine_learning_packages_lower for tag in integrations):
-                    continue
-            if isinstance(rule.contents.data, QueryRuleData) and 'endgame-*' in rule.contents.data.index:
-                continue
+            # skip rules that do not leverage queries (i.e. machine learning)
+            # filters to acceptable query languages in definitions.FilterLanguages
+            # QueryRuleData should inheritenly ignore machine learning rules
+            if isinstance(rule.contents.data, QueryRuleData):
+                rule_language = rule.contents.data.language
+                rule_integrations = rule.contents.metadata.get('integration')
+                if isinstance(rule_integrations, str):
+                    rule_integrations = [rule_integrations]
+                rule_query = rule.contents.data.get('query')
+                has_event_ingested = rule.contents.data.get('timestamp_override') == 'event.ingested'
+                rule_str = self.rule_str(rule, trailer=None)
 
-            has_event_ingested = rule.contents.data.timestamp_override == 'event.ingested'
-            indexes = rule.contents.data.get('index', [])
-            beats_indexes = parse_beats_from_index(indexes)
-            min_stack_is_less_than_82 = Version.parse(rule.contents.metadata.min_stack_version or '7.13.0',
-                                                      optional_minor_and_patch=True) < Version.parse("8.2.0")
-            config = rule.contents.data.get('note') or ''
-            rule_str = self.rule_str(rule, trailer=None)
-
-            if rule.contents.data.type == 'query':
                 if not has_event_ingested:
-                    errors['query']['errors'].append(rule_str)
-            # eql rules depends
-            elif rule.contents.data.type == 'eql':
-                if rule.contents.data.is_sequence:
-                    if has_event_ingested:
-                        errors['eql_sq']['errors'].append(rule_str)
-                else:
-                    if min_stack_is_less_than_82:
-                        if not beats_indexes and not has_event_ingested:
-                            errors['lt_82_eql']['errors'].append(rule_str)
-                        elif beats_indexes and has_event_ingested and pipeline_config not in config:
-                            errors['lt_82_eql_beats']['errors'].append(rule_str)
+                    # TODO: determine if we expand this to ES|QL
+                    # ignores any rule that does not use EQL or KQL queries specifically
+                    # this does not avoid rule types where variants of KQL are used (e.g. new terms)
+                    if rule_language not in ('eql', 'kuery') or "sequence" in rule_query:
+                        continue
                     else:
-                        if not has_event_ingested:
-                            errors['gte_82_eql']['errors'].append(rule_str)
+                        errors.append(f'{rule_str} - rule must have `timestamp_override: event.ingested`')
 
-        if any([v['errors'] for k, v in errors.items()]):
-            err_strings = ['errors with `timestamp_override = "event.ingested"`']
-            for _, errors_by_type in errors.items():
-                type_errors = errors_by_type['errors']
-                if not type_errors:
-                    continue
-                err_strings.append(f'({len(type_errors)}) {errors_by_type["msg"]}')
-                err_strings.extend([f'  - {e}' for e in type_errors])
-            self.fail('\n'.join(err_strings))
+        if errors:
+            self.fail('The following rules are invalid:\n' + '\n'.join(errors))
 
     def test_required_lookback(self):
         """Ensure endpoint rules have the proper lookback time."""