From 33030f09fa91f6d4f2b1101ff6210d03b576a7e3 Mon Sep 17 00:00:00 2001
From: Khristinin Nikita <nikita.khristinin@elastic.co>
Date: Tue, 30 Nov 2021 19:25:42 +0100
Subject: [PATCH] [Rule Tuning] Support ECS 1.11 field for IM rule (#1560)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Support ecs field for IM rule

* update time interval

* Change additional lookback to 5 minutes

* Add old rule

* Add newline

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Remove im legacy rule

* Udpdate name and description

* Remove min_stack_comment

* Keep 2 IM rule

* add min_stack_comments to rule

* Update rules/cross-platform/threat_intel_indicator_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adds new rules

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ece Özalp <ozale272@newschool.edu>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>

(cherry picked from commit c619844b0d115c9d8de37d330d2fe4621f668d41)
---
 ...tel_module_match.toml => threat_intel_filebeat7x.toml} | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 rename rules/cross-platform/{threat_intel_module_match.toml => threat_intel_filebeat7x.toml} (96%)

diff --git a/rules/cross-platform/threat_intel_module_match.toml b/rules/cross-platform/threat_intel_filebeat7x.toml
similarity index 96%
rename from rules/cross-platform/threat_intel_module_match.toml
rename to rules/cross-platform/threat_intel_filebeat7x.toml
index 998729b0c..f742ff29e 100644
--- a/rules/cross-platform/threat_intel_module_match.toml
+++ b/rules/cross-platform/threat_intel_filebeat7x.toml
@@ -6,14 +6,14 @@ updated_date = "2021/10/29"
 [rule]
 author = ["Elastic"]
 description = """
-This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.
+This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or network observations.
 """
 from = "now-65m"
 index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
 interval = "1h"
 language = "kuery"
 license = "Elastic License v2"
-name = "Threat Intel Filebeat Module Indicator Match"
+name = "Threat Intel Filebeat Module (v7.x) Indicator Match"
 note = """## Triage and Analysis
 
 ### Investigating Threat Intel Indicator Matches
@@ -66,7 +66,7 @@ timeline_title = "Generic Threat Match Timeline"
 type = "threat_match"
 
 threat_index = [ "filebeat-*"]
-threat_indicator_path = ""
+threat_indicator_path = "threatintel.indicator"
 threat_language = "kuery"
 
 threat_query = '''
@@ -178,4 +178,4 @@ value = "threatintel.indicator.url.full"
 [[rule.threat_mapping.entries]]
 field = "registry.path"
 type = "mapping"
-value = "threatintel.indicator.registry.path"
+value = "threatintel.indicator.registry.path"
\ No newline at end of file