From 396cee32f162d2554ea594fc68474c8059e78e73 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Tue, 7 Dec 2021 09:09:03 -0300
Subject: [PATCH] [Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File
 Downloaded from the Internet" to use KQL (#1651)

* Update command_and_control_download_rar_powershell_from_internet.toml

* bump updated_date

(cherry picked from commit 7b0383ffe26b67342698ce11f4fd2903a56bc7eb)
---
 ...and_and_control_download_rar_powershell_from_internet.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
index b1a288631..bf64d4062 100644
--- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml
+++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/02"
 maturity = "production"
-updated_date = "2021/05/27"
+updated_date = "2021/12/06"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
-language = "lucene"
+language = "kuery"
 license = "Elastic License v2"
 name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
 note = """## Threat intel