security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948)

Browse Source 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
This commit is contained in:
Justin Ibarra
2021-02-16 10:52:48 -09:00
committed by GitHub
parent 66be82808c
commit 61deed3fd2
360 changed files with 1640 additions and 1152 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/initial_access_script_executing_powershell.toml
+3 -1
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2020/12/17"
updated_date = "2020/02/16"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ risk_score = 21
rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "query"
query = '''
@@ -37,6 +38,7 @@ name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"