[Rule Tuning] Add endgame support for Linux Rules (#2436)

* [Rule Tuning] Add endgame support for Linux Rules * [Rule Tuning] Add endgame support for Linux Rules * . * Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
parent 7cde7901e3
commit 77c8665f11
34 changed files with 109 additions and 109 deletions
@@ -2,9 +2,9 @@
 creation_date = "2020/04/15"
 integration = ["endpoint"]
 maturity = "production"
+updated_date = "2022/12/20"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -13,14 +13,14 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
 interactive tty after obtaining initial access to a host.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Interactive Terminal Spawned via Python"
 risk_score = 73
 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"