[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948)

* [Rule Tuning] Add timestamp_override field to 7.11.0 rules * Lock versions for 7.11.2 rules
2021-02-16 10:52:48 -09:00
parent 66be82808c
commit 61deed3fd2
360 changed files with 1640 additions and 1152 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2020/02/16"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 21
 rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -43,6 +44,7 @@ name = "Kernel Modules and Extensions"
 reference = "https://attack.mitre.org/techniques/T1547/006/"


+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"