From 3876ef3a37de49a6950d8f4cb0c38edc3866fc68 Mon Sep 17 00:00:00 2001 From: Bobby Filar <29960025+bfilar@users.noreply.github.com> Date: Tue, 13 Apr 2021 13:58:13 -0400 Subject: [PATCH] Adjust loopback for Cloudtrail (#1103) * #1092 adjusting loopback for cloudtrail * refactored time interval, adjusted updated_date * reverting bucket interval back to 15m --- rules/ml/ml_cloudtrail_rare_error_code.toml | 4 ++-- rules/ml/ml_cloudtrail_rare_method_by_city.toml | 4 ++-- rules/ml/ml_cloudtrail_rare_method_by_country.toml | 4 ++-- rules/ml/ml_cloudtrail_rare_method_by_user.toml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/ml/ml_cloudtrail_rare_error_code.toml b/rules/ml/ml_cloudtrail_rare_error_code.toml index 519eb51eb..7ebf968f9 100644 --- a/rules/ml/ml_cloudtrail_rare_error_code.toml +++ b/rules/ml/ml_cloudtrail_rare_error_code.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/04/12" [rule] anomaly_threshold = 50 @@ -17,7 +17,7 @@ false_positives = [ automation scripts or workflows, or changes to IAM privileges. """, ] -from = "now-60m" +from = "now-2h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_error_code" diff --git a/rules/ml/ml_cloudtrail_rare_method_by_city.toml b/rules/ml/ml_cloudtrail_rare_method_by_city.toml index 5f0dafe15..48da5e8e8 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_city.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/04/12" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ adoption of work from home policies; or users who travel frequently. """, ] -from = "now-60m" +from = "now-2h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" diff --git a/rules/ml/ml_cloudtrail_rare_method_by_country.toml b/rules/ml/ml_cloudtrail_rare_method_by_country.toml index febcfd51b..7e34c2d3d 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_country.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/04/12" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ adoption of work from home policies; or users who travel frequently. """, ] -from = "now-60m" +from = "now-2h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" diff --git a/rules/ml/ml_cloudtrail_rare_method_by_user.toml b/rules/ml/ml_cloudtrail_rare_method_by_user.toml index d46edbdc1..ce0750614 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/04/12" [rule] anomaly_threshold = 75 @@ -17,7 +17,7 @@ false_positives = [ automation scripts or workflows; adoption of new services; or changes in the way services are used. """, ] -from = "now-60m" +from = "now-2h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username"