[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945)

* [Rule Tuning] Add timestamp_override field to rules * add tests for lookback and timestamp_override * fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00
parent 134b310fdd
commit 645a0cd67b
184 changed files with 436 additions and 164 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/01/04"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic", "Willem D'Haese"]
@@ -26,6 +26,7 @@ risk_score = 73
 rule_id = "37994bca-0611-4500-ab67-5588afe73b77"
 severity = "high"
 tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -27,6 +27,7 @@ risk_score = 47
 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/12/20"
 maturity = "production"
-updated_date = "2020/12/20"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as
-Antivirus or Host Firewall details.
+Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus
+or Host Firewall details.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "auditbeat-*"]
@@ -18,6 +18,7 @@ risk_score = 47
 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -68,3 +69,4 @@ reference = "https://attack.mitre.org/techniques/T1518/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
@@ -1,14 +1,11 @@
 [metadata]
 creation_date = "2021/01/12"
 maturity = "production"
-updated_date = "2021/01/12"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
-description = """
-Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and
-Linux.
-"""
+description = "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux."
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
@@ -19,8 +16,10 @@ risk_score = 73
 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
 event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*
 '''
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "development"
-updated_date = "2021/01/13"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "macOS", "Windows", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2020/01/07"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1059/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -18,6 +18,7 @@ risk_score = 47
 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/12/21"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -9,7 +9,9 @@ description = """
 Adversaries may modify the standard authentication module for persistence via patching the normal authorization process
 or modifying the login configuration to allow unauthorized access or elevate privileges.
 """
-false_positives = ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."]
+false_positives = [
+    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
+]
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
@@ -25,6 +27,7 @@ risk_score = 47
 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Credential Access", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -46,6 +49,7 @@ event.category:file and event.type:change and
    )
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -53,6 +57,7 @@ id = "T1543"
 name = "Create or Modify System Process"
 reference = "https://attack.mitre.org/techniques/T1543/"

+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
@@ -69,3 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1556/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/15"
 maturity = "production"
-updated_date = "2021/01/15"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 21
 rule_id = "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -53,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1053/003/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/01/19"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 47
 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -69,3 +70,4 @@ reference = "https://attack.mitre.org/techniques/T1546/004/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/12/22"
 maturity = "production"
-updated_date = "2020/12/22"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
-The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication.
-Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
+The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key
+authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -18,6 +18,7 @@ risk_score = 47
 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1098/004/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/26"
 maturity = "production"
-updated_date = "2021/01/26"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -18,6 +18,7 @@ risk_score = 73
 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -37,6 +38,7 @@ name = "Sudo and Sudo Caching"
 reference = "https://attack.mitre.org/techniques/T1548/003/"


+
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/22"
 maturity = "production"
-updated_date = "2020/12/22"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ risk_score = 47
 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -93,3 +94,4 @@ reference = "https://attack.mitre.org/techniques/T1560/001/"
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/12/21"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 73
 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -83,3 +84,4 @@ reference = "https://attack.mitre.org/techniques/T1554/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2020/07/08"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -10,11 +10,14 @@ index = ["auditbeat-*"]
 language = "kuery"
 license = "Elastic License"
 name = "Auditd Max Failed Login Attempts"
-references = ["https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"]
+references = [
+    "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574",
+]
 risk_score = 47
 rule_id = "fb9937ce-7e21-46bf-831d-1ad96eac674d"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2020/07/08"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -10,11 +10,14 @@ index = ["auditbeat-*"]
 language = "kuery"
 license = "Elastic License"
 name = "Auditd Login from Forbidden Location"
-references = ["https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"]
+references = [
+    "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412",
+]
 risk_score = 73
 rule_id = "cab4f01c-793f-4a54-a03e-e5d85b96d7af"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2020/07/08"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -10,11 +10,14 @@ index = ["auditbeat-*"]
 language = "kuery"
 license = "Elastic License"
 name = "Auditd Max Login Sessions"
-references = ["https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007"]
+references = [
+    "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007",
+]
 risk_score = 47
 rule_id = "20dc4620-3b68-4269-8124-ca5091e00ea8"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2020/07/08"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -10,11 +10,14 @@ index = ["auditbeat-*"]
 language = "kuery"
 license = "Elastic License"
 name = "Auditd Login Attempt at Forbidden Time"
-references = ["https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666"]
+references = [
+    "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666",
+]
 risk_score = 47
 rule_id = "90e28af7-1d96-4582-bf11-9a1eff21d0e5"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2020/12/21"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -9,7 +9,9 @@ description = """
 Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to
 enable unauthorized access or by logging SSH credentials for exfiltration.
 """
-false_positives = ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."]
+false_positives = [
+    "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.",
+]
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
@@ -20,6 +22,7 @@ risk_score = 47
 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -54,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1556/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/06"
 maturity = "production"
-updated_date = "2021/01/06"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1547/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/27"
 maturity = "production"
-updated_date = "2021/01/27"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ risk_score = 47
 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/04"
 maturity = "production"
-updated_date = "2020/02/11"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 73
 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -58,3 +59,4 @@ reference = "https://attack.mitre.org/techniques/T1555/003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/25"
 maturity = "production"
-updated_date = "2021/01/25"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 73
 rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/01/04"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/06"
 maturity = "production"
-updated_date = "2020/01/06"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -26,6 +26,7 @@ risk_score = 73
 rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/05"
 maturity = "production"
-updated_date = "2021/01/05"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1539/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2020/02/11"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/15"
 maturity = "production"
-updated_date = "2021/01/15"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "f683dcdf-a018-4801-b066-193d4ae6c8e5"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -41,6 +42,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"


+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/11"
 maturity = "production"
-updated_date = "2021/01/11"
+updated_date = "2021/02/16"

 [rule]
 author = ["Elastic"]
@@ -9,6 +9,7 @@ description = """
 Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only
 trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -21,6 +22,7 @@ risk_score = 47
 rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -41,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1553/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -22,6 +22,7 @@ risk_score = 47
 rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/01/14"
 maturity = "production"
-updated_date = "2021/01/14"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own
-malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain
+Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their
+own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain
 restrictions.
 """
 from = "now-9m"
@@ -22,6 +22,7 @@ risk_score = 47
 rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -48,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1574/007/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2020/12/23"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 47
 rule_id = "eea82229-b002-470e-a9e1-00be38b14d32"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1562/001/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/11"
 maturity = "production"
-updated_date = "2020/01/11"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -22,6 +22,7 @@ risk_score = 73
 rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/14"
 maturity = "production"
-updated_date = "2021/01/14"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -49,6 +50,7 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"


+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/11"
 maturity = "production"
-updated_date = "2021/01/11"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 73
 rule_id = "d22a85c6-d2ad-4cc4-bf7b-54787473669a"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/04"
 maturity = "production"
-updated_date = "2020/01/04"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 73
 rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -40,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1006/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,13 +1,11 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2020/01/05"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
-description = """
-Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.
-"""
+description = "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command."
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
@@ -17,6 +15,7 @@ risk_score = 73
 rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -37,7 +36,9 @@ name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"


+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,13 +1,11 @@
 [metadata]
 creation_date = "2021/01/12"
 maturity = "production"
-updated_date = "2021/01/12"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
-description = """
-Identifies the execution of macOS built-in commands related to account or group enumeration.
-"""
+description = "Identifies the execution of macOS built-in commands related to account or group enumeration."
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
@@ -17,6 +15,7 @@ risk_score = 21
 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff"
 severity = "low"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -27,7 +26,6 @@ process where event.type in ("start", "process_started") and
  (process.name : "dscl" and 
     process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and 
     process.args : ("/Active Directory/*", "/Users*", "/Groups*"))
-
 '''


@@ -48,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1087/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2020/01/07"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "35330ba2-c859-4c98-8b7f-c19159ea0e58"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion", "Execution"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1548/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2020/12/23"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 73
 rule_id = "080bc66a-5d56-4d1f-8071-817671716db9"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -70,3 +71,4 @@ reference = "https://attack.mitre.org/techniques/T1189/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/01/04"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -62,7 +63,9 @@ name = "Spearphishing Attachment"
 reference = "https://attack.mitre.org/techniques/T1566/001/"


+
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/01/12"
 maturity = "production"
-updated_date = "2020/01/12"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos
-tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.
+Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or
+attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -19,6 +19,7 @@ risk_score = 73
 rule_id = "16904215-2c95-4ac8-bf5c-12354e047192"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access", "Lateral Movement"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -26,6 +27,7 @@ event.category:process and event.type:start and
 process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab))))
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -37,6 +39,8 @@ id = "T1550.003"
 name = "Pass the Ticket"
 reference = "https://attack.mitre.org/techniques/T1550/003/"

+
+
 [rule.threat.tactic]
 id = "TA0008"
 name = "Lateral Movement"
@@ -53,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1558/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/25"
 maturity = "production"
-updated_date = "2021/01/25"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 21
 rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0"
 severity = "low"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/25"
 maturity = "production"
-updated_date = "2020/01/25"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 21
 rule_id = "15dacaa0-5b90-466b-acab-63435a59701a"
 severity = "low"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -44,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1021/"
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2020/01/05"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "41b638a1-8ab6-4f8e-86d9-466317ef2db5"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2020/01/05"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -18,6 +18,7 @@ risk_score = 47
 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Execution"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1059/002/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "production"
-updated_date = "2021/01/13"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
 Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively
-supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to
-persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
+supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature
+to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1547/002/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2020/01/07"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "083fa162-e790-4d85-9aeb-4fea04188adb"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -43,6 +44,7 @@ name = "Launch Agent"
 reference = "https://attack.mitre.org/techniques/T1543/001/"


+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
@@ -58,7 +60,10 @@ id = "T1564.001"
 name = "Hidden Files and Directories"
 reference = "https://attack.mitre.org/techniques/T1564/001/"

+
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/12/18"
 maturity = "production"
-updated_date = "2020/12/18"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
-An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a
-malicious application instead of the intended one when invoked.
+An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious
+application instead of the intended one when invoked.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -15,12 +15,16 @@ language = "kuery"
 license = "Elastic License"
 name = "Persistence via Docker Shortcut Modification"
 references = [
-    "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf",
+    """
+    https://github.com/specterops/presentations/raw/master/Leo
+    Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
+    """,
 ]
 risk_score = 47
 rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -30,7 +34,6 @@ event.category : file and event.action : modification and
 '''


-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -43,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1543/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/11"
 maturity = "production"
-updated_date = "2021/01/11"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/11"
 maturity = "production"
-updated_date = "2021/01/11"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 47
 rule_id = "3e3d15c6-1509-479a-b125-21718372157e"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/04"
 maturity = "production"
-updated_date = "2020/01/04"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2020/01/05"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -21,6 +21,7 @@ risk_score = 47
 rule_id = "092b068f-84ac-485d-8a55-7dd9e006715f"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,12 +1,13 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/01/21"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.
+Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to
+run a program during system boot or user login for persistence.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -19,6 +20,7 @@ risk_score = 47
 rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -45,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1547/011/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2020/02/11"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
 description = """
-Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time
-the Sublime application is started.
+Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the
+Sublime application is started.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -19,6 +19,7 @@ risk_score = 21
 rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a"
 severity = "low"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -36,7 +37,6 @@ file where event.type in ("change", "creation") and file.extension : "py" and
      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper", 
      "/Applications/Sublime Text.app/Contents/MacOS/plugin_host"
    )
-                 
 '''


@@ -52,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1554/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/01/21"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 21
 rule_id = "48ec9452-e1fd-4513-a376-10a1a26d2c83"
 severity = "low"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/01/19"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 47
 rule_id = "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1546/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/01/21"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -22,9 +22,11 @@ risk_score = 21
 rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7"
 severity = "low"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
 event.category:"file" and not event.type:"deletion" and
 file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root
 '''
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/27"
 maturity = "production"
-updated_date = "2020/12/27"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -51,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1059/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2021/01/25"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/01/19"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 73
 rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -52,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1068/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2020/01/05"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -44,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1078/003/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
@@ -22,6 +22,7 @@ risk_score = 73
 rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -21,6 +21,7 @@ false_positives = [
    server that has no known associated FTP workflow or business requirement is often suspicious.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -20,6 +20,7 @@ false_positives = [
    and usually only appears in local traffic using private IPs, which does not match this rule's conditions.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -19,6 +19,7 @@ false_positives = [
    port in the range by coincidence. This is uncommon but such servers can be excluded.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -16,6 +16,7 @@ false_positives = [
    expected behavior.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -19,6 +19,7 @@ false_positives = [
    this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    be excluded.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -22,6 +22,7 @@ false_positives = [
    port in the range by coincidence. In this case, such servers can be excluded if desired.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -21,6 +21,7 @@ false_positives = [
    not unexpected.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -17,6 +17,7 @@ false_positives = [
    case, such devices or networks can be excluded from this rule if this is expected behavior.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    database instances are accessed directly across the Internet.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -21,6 +21,7 @@ false_positives = [
    not unexpected.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -20,6 +20,7 @@ false_positives = [
    unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -20,6 +20,7 @@ false_positives = [
    server that has no known associated Telnet work-flow or business requirement is often suspicious.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -18,6 +18,7 @@ false_positives = [
    this case, such servers can be excluded if desired.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -19,6 +19,7 @@ false_positives = [
    that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -19,6 +19,7 @@ false_positives = [
    that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -20,6 +20,7 @@ false_positives = [
    unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.
    """,
 ]
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ system administrators to remotely control a system for maintenance or to use sha
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 back-door vector.
 """
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ system administrators to remotely control a system for maintenance or to use sha
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 back-door vector.
 """
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -11,6 +11,7 @@ the Internet. SMB is commonly used within networks to share files, printers, and
 systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
 threat actors as an initial access or back-door vector or for data exfiltration.
 """
+from = "now-9m"
 index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -10,6 +10,7 @@ Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest,
 mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.
 """
 false_positives = ["Legitimate exchange system administration activity."]
+from = "now-9m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
@@ -10,6 +10,7 @@ Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a n
 Adversaries may target user email to collect sensitive information.
 """
 false_positives = ["Legitimate exchange system administration activity."]
+from = "now-9m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
@@ -9,6 +9,7 @@ description = """
 Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in
 preparation for exfiltration.
 """
+from = "now-9m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/19"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/01/28"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/11"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/01/28"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/01/28"

 [rule]
 author = ["Elastic"]
@@ -34,12 +34,11 @@ id = "T1105"
 name = "Ingress Tool Transfer"
 reference = "https://attack.mitre.org/techniques/T1105/"

+
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -52,6 +51,7 @@ name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"


+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 73
 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ risk_score = 47
 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/12"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -18,6 +18,7 @@ risk_score = 21
 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "query"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/02/01"
 maturity = "production"
-updated_date = "2021/02/01"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -24,6 +24,7 @@ risk_score = 21
 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -55,3 +56,4 @@ reference = "https://attack.mitre.org/techniques/T1553/004/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2021/02/08"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ risk_score = 21
 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -7,6 +7,7 @@ updated_date = "2021/02/16"
 author = ["Elastic"]
 description = "Identifies possibly suspicious activity using trusted Windows developer activity."
 false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/02/11"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ risk_score = 47
 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/01/28"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/24"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/01/28"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/01/28"

 [rule]
 author = ["Elastic"]
--- a/Show More
+++ b/Show More