Add timeline_id to detection rules (#95)

* Adds timeline_id to all network rules - Uses the ID for the 'Generic Network Timeline' from Elastic * Adds timeline_id to all endpoint rules - Uses the ID for the 'Generic Endpoint Timeline' from Elastic * Adds timeline_id to all process-oriented rules - Uses the ID for the 'Generic Process Timeline' from Elastic * Ran tests and toml-lint * Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
parent 2065af89b1
commit 580db2c13e
183 changed files with 368 additions and 191 deletions
@@ -1,6 +1,6 @@
 # rules/

-Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several [.toml](https://github.com/toml-lang/toml) files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. [`windows/execution_via_compiled_html_file.toml`](windows/execution_via_compiled_html_file.toml))  
+Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several [.toml](https://github.com/toml-lang/toml) files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. [`windows/execution_via_compiled_html_file.toml`](windows/execution_via_compiled_html_file.toml))

 | folder                              |  description                                                         |
 |-------------------------------------|----------------------------------------------------------------------|
@@ -33,7 +33,7 @@ type = "query"
 query = '''
 event.dataset:(azure.activitylogs or azure.auditlogs) and
  (
-    azure.activitylogs.operation_name:"Consent to application" or 
+    azure.activitylogs.operation_name:"Consent to application" or
    azure.auditlogs.operation_name:"Consent to application"
  ) and
  event.outcome:success
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 21
 rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "125417b8-d3df-479f-8418-12d7e034fee3"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 21
 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 21
 rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/05/04"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/22"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 21
 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ risk_score = 21
 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 21
 rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/29"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 73
 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 47
 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 73
 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ risk_score = 21
 rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/16"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 73
 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/15"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 73
 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 73
 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 73
 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 21
 rule_id = "61c31c14-507f-4627-8c31-072556b89a9c"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -32,6 +32,7 @@ risk_score = 47
 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 21
 rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 47
 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 47
 rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 21
 rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ risk_score = 21
 rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 21
 rule_id = "3a86e085-094c-412d-97ff-2439731e59cb"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 21
 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ risk_score = 73
 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -21,7 +21,7 @@ machine_learning_job_id = "linux_anomalous_network_activity_ecs"
 name = "Unusual Linux Network Activity"
 note = """### Investigating Unusual Network Activity ###
 Detection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual.  Here are some possible avenues of investigation:
- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? 
+- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?
 - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.
 - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.
@@ -27,7 +27,7 @@ note = """### Investigating an Unusual Windows Process ###
 Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:
 - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. 
+- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package.
 - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.
 - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.
 - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """
@@ -22,7 +22,7 @@ machine_learning_job_id = "windows_anomalous_network_activity_ecs"
 name = "Unusual Windows Network Activity"
 note = """### Investigating Unusual Network Activity ###
 Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual.  Here are some possible avenues of investigation:
- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? 
+- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?
 - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.
 - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?
 - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.
@@ -25,7 +25,7 @@ machine_learning_job_id = "windows_rare_user_type10_remote_login"
 name = "Unusual Windows Remote User"
 note = """### Investigating an Unusual Windows User ###
 Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? 
+- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
 - Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?"""
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -30,6 +30,7 @@ risk_score = 73
 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
 severity = "high"
 tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -33,10 +33,11 @@ risk_score = 47
 rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154"
 severity = "medium"
 tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
-event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) 
+event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)
 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or
  172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb")
 '''
@@ -2,7 +2,7 @@
 creation_date = "2020/07/02"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -31,6 +31,7 @@ risk_score = 47
 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
 severity = "medium"
 tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 73
 rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
 severity = "high"
 tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -30,6 +30,7 @@ risk_score = 21
 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -29,11 +29,12 @@ risk_score = 73
 rule_id = "2e580225-2a58-48ef-938b-572933be06fe"
 severity = "high"
 tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
-event.category:(network OR network_traffic) AND network.protocol:http AND 
-  network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND 
+event.category:(network OR network_traffic) AND network.protocol:http AND
+  network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND
  destination.port:(53 OR 80 OR 8080 OR 443)
 '''

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -29,6 +29,7 @@ risk_score = 47
 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 21
 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -29,6 +29,7 @@ risk_score = 21
 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 21
 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 21
 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -31,6 +31,7 @@ risk_score = 47
 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -30,6 +30,7 @@ risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 21
 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -30,6 +30,7 @@ risk_score = 47
 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -29,6 +29,7 @@ risk_score = 21
 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -29,6 +29,7 @@ risk_score = 47
 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 73
 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
 severity = "high"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -28,6 +28,7 @@ risk_score = 47
 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
 severity = "medium"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/09/04"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -30,6 +30,7 @@ risk_score = 21
 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511"
 severity = "low"
 tags = ["Elastic", "Network", "Threat Detection", "Discovery"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -29,6 +29,7 @@ risk_score = 21
 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5"
 severity = "low"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "high"
 tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/11"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -29,6 +29,7 @@ risk_score = 47
 rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9"
 severity = "medium"
 tags = ["Elastic", "Network", "Threat Detection", "Initial Access"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/07/08"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
 rule_name_override = "message"
 severity = "medium"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 timestamp_override = "event.ingested"
 type = "query"

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
 severity = "medium"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
 severity = "high"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
 severity = "medium"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
 severity = "high"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
 severity = "medium"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
 severity = "high"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
 severity = "medium"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 99
 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
 severity = "critical"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
 severity = "high"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
 severity = "high"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
 severity = "medium"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "80c52164-c82a-402c-9964-852533d58be1"
 severity = "high"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
 severity = "medium"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 99
 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
 severity = "critical"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
 severity = "high"
 tags = ["Elastic", "Endpoint Security"]
+timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/03/19"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 21
 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
+timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/09/03"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/09/03"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 47
 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -17,6 +17,7 @@ risk_score = 47
 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/13"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -24,10 +24,11 @@ risk_score = 73
 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
-event.category:file and not event.type:deletion and 
+event.category:file and not event.type:deletion and
 file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)
 '''

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ risk_score = 73
 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -25,6 +25,7 @@ risk_score = 73
 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/31"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,7 @@ risk_score = 73
 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,7 @@ risk_score = 21
 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 21
 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/31"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "28896382-7d4f-4d50-9b72-67091901fd26"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 21
 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 21
 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
@@ -2,7 +2,7 @@
 creation_date = "2020/08/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/10/26"
+updated_date = "2020/10/27"

 [rule]
 author = ["Elastic"]
@@ -16,6 +16,7 @@ risk_score = 47
 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "query"

 query = '''
--- a/Show More
+++ b/Show More