[Security Content] Include "Data Source: Elastic Defend" tag (#3002)

* win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
2023-09-05 15:22:01 -03:00
parent 6115a68aba
commit 4233fef238
470 changed files with 478 additions and 451 deletions
@@ -30,7 +30,7 @@ references = ["https://attack.mitre.org/techniques/T1571/"]
 risk_score = 21
 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -33,7 +33,7 @@ references = [
 risk_score = 47
 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -26,7 +26,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -30,7 +30,7 @@ references = [
 risk_score = 47
 rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -55,7 +55,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -32,7 +32,7 @@ references = ["https://objective-see.com/blog/blog_0x4F.html"]
 risk_score = 47
 rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -18,7 +18,7 @@ references = ["https://github.com/neoneggplant/EggShell"]
 risk_score = 73
 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -58,7 +58,7 @@ references = [
 risk_score = 73
 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -60,7 +60,7 @@ references = [
 risk_score = 47
 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -28,7 +28,7 @@ references = [
 risk_score = 73
 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -60,7 +60,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat
 risk_score = 47
 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
 timeline_title = "Comprehensive File Timeline"
 timestamp_override = "event.ingested"
@@ -29,7 +29,7 @@ references = [
 risk_score = 47
 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence"]
+tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -24,7 +24,7 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-
 risk_score = 47
 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"]
+tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -20,7 +20,7 @@ name = "SSH Authorized Keys File Modification"
 risk_score = 47
 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -20,7 +20,7 @@ name = "Potential Privilege Escalation via Sudoers File Modification"
 risk_score = 73
 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -24,7 +24,7 @@ name = "Setuid / Setgid Bit Set via chmod"
 risk_score = 21
 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -33,7 +33,7 @@ references = [
 risk_score = 73
 rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
 type = "threshold"

 query = '''
@@ -20,7 +20,7 @@ name = "Sudoers File Modification"
 risk_score = 47
 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/
 risk_score = 47
 rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9"
 severity = "medium"
-tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
+tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -28,13 +28,7 @@ references = ["https://code.kryo.se/iodine/"]
 risk_score = 73
 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
 severity = "high"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Command and Control",
-    "Data Source: Elastic Endgame",
-]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"
 query = '''
@@ -23,7 +23,7 @@ name = "Suspicious Network Activity to the Internet by Previously Unknown Execut
 risk_score = 21
 rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"

@@ -29,7 +29,7 @@ references = [
 risk_score = 47
 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -23,7 +23,7 @@ references = [
 risk_score = 47
 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -27,7 +27,7 @@ references = [
 risk_score = 47
 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c"
 severity = "medium"
-tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
+tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -21,7 +21,7 @@ name = "Potential Linux Local Account Brute Force Detected"
 risk_score = 47
 rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id, process.parent.executable, user.id with maxspan=1s
@@ -26,7 +26,7 @@ references = [
 risk_score = 47
 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by process.parent.name,host.name with maxspan=1m
@@ -30,7 +30,7 @@ references = [
 risk_score = 73
 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -20,7 +20,7 @@ name = "Attempt to Disable IPTables or Firewall"
 risk_score = 21
 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -20,7 +20,7 @@ name = "Attempt to Disable Syslog Service"
 risk_score = 47
 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -23,7 +23,7 @@ name = "Base16 or Base32 Encoding/Decoding Activity"
 risk_score = 21
 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -27,7 +27,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -21,7 +21,7 @@ name = "Potential Disabling of SELinux"
 risk_score = 47
 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -26,7 +26,7 @@ references = [
 risk_score = 47
 rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -21,7 +21,7 @@ name = "File Deletion via Shred"
 risk_score = 21
 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -26,7 +26,7 @@ name = "File Permission Modification in Writable Directory"
 risk_score = 21
 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -32,7 +32,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -26,7 +26,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -28,7 +28,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
 risk_score = 47
 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -38,14 +38,7 @@ references = ["https://www.getambassador.io/resources/code-injection-on-linux-an
 risk_score = 21
 rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0"
 severity = "low"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Defense Evasion",
-    "Tactic: Persistence",
-    "Tactic: Privilege Escalation",
-]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -27,7 +27,7 @@ references = [
 risk_score = 47
 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -31,7 +31,7 @@ references = [
 risk_score = 47
 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -26,7 +26,7 @@ references = [
 risk_score = 47
 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -27,7 +27,7 @@ name = "Enumeration of Kernel Modules"
 risk_score = 47
 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"]
 risk_score = 47
 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"]
 risk_score = 47
 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -21,7 +21,7 @@ name = "Sudo Command Enumeration Detected"
 risk_score = 21
 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -23,7 +23,7 @@ name = "SUID/SGUID Enumeration Detected"
 risk_score = 21
 rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -27,7 +27,7 @@ name = "Virtual Machine Fingerprinting"
 risk_score = 73
 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -74,7 +74,7 @@ references = [
 risk_score = 47
 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -20,7 +20,7 @@ name = "Interactive Terminal Spawned via Perl"
 risk_score = 73
 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -41,7 +41,7 @@ references = [
 risk_score = 73
 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -33,7 +33,7 @@ references = [
 risk_score = 73
 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -21,7 +21,7 @@ risk_score = 73
 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
 severity = "high"
 timestamp_override = "event.ingested"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -23,7 +23,7 @@ name = "Potential Code Execution via Postgresql"
 risk_score = 47
 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -97,7 +97,7 @@ references = [
 risk_score = 47
 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id, process.parent.entity_id with maxspan=1s
@@ -23,7 +23,7 @@ references = [
 risk_score = 47
 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id with maxspan=1s
@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -23,7 +23,7 @@ name = "Suspicious System Commands Executed by Previously Unknown Executable"
 risk_score = 21
 rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"

@@ -20,7 +20,7 @@ name = "Suspicious Mining Process Creation Event"
 risk_score = 47
 rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -23,7 +23,7 @@ references = [
 risk_score = 73
 rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -22,7 +22,7 @@ name = "Suspicious File Changes Activity Detected"
 risk_score = 47
 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
@@ -23,7 +23,7 @@ name = "Potential Linux Ransomware Note Creation Detected"
 risk_score = 47
 rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s 
@@ -50,7 +50,7 @@ This rule identifies a high number (10) of process terminations via pkill from t
 risk_score = 47
 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 type = "threshold"

 query = '''
@@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 47
 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 47
 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -24,7 +24,7 @@ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusi
 risk_score = 47
 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -24,7 +24,7 @@ references = [
 risk_score = 47
 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"

@@ -22,7 +22,7 @@ references = [
 risk_score = 73
 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"]
 type = "eql"

 query = '''
@@ -25,7 +25,7 @@ references = [
 risk_score = 47
 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -127,7 +127,7 @@ references = [
 risk_score = 47
 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
@@ -22,7 +22,7 @@ references = [
 risk_score = 47
 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -29,7 +29,7 @@ references = [
 risk_score = 47
 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -88,7 +88,7 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0
 risk_score = 47
 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -105,7 +105,7 @@ references = [
 risk_score = 73
 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -83,7 +83,7 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign
 risk_score = 47
 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -121,7 +121,7 @@ references = [
 risk_score = 47
 rule_id = "96d11d31-9a79-480f-8401-da28b194608f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
@@ -120,7 +120,7 @@ references = [
 risk_score = 73
 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -106,7 +106,7 @@ references = [
 risk_score = 47
 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 type = "new_terms"
 query = '''
 host.os.type : "linux" and event.category : "file" and 
@@ -25,7 +25,7 @@ references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"]
 risk_score = 47
 rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"

@@ -135,7 +135,7 @@ references = [
 risk_score = 21
 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
@@ -26,7 +26,7 @@ references = [
 risk_score = 47
 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "new_terms"

@@ -23,7 +23,7 @@ references = ["https://www.exploit-db.com/papers/33930"]
 risk_score = 21
 rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -41,7 +41,7 @@ references = [
 risk_score = 47
 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -23,7 +23,7 @@ references = [
 risk_score = 47
 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -23,7 +23,7 @@ name = "Suspicious Symbolic Link Created"
 risk_score = 21
 rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
--- a/Show More
+++ b/Show More