[Rule Tuning] Update EQL rules with lookback < maxspan (#1362)

* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 4aab1278bf)

rules/windows/defense_evasion_mshta_beacon.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/07/19"
 
 [rule]
 author = ["Elastic"]
@@ -9,7 +9,7 @@ description = """
 Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often
 leveraged by adversaries to execute malicious scripts and evade detection.
 """
-from = "now-9m"
+from = "now-20m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
@@ -21,7 +21,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"
 
 query = '''
-sequence by process.entity_id with maxspan=2h
+sequence by process.entity_id with maxspan=10m
   [process where event.type in ("start", "process_started") and process.name : "mshta.exe" and
      not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
      not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
@@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1218/005/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/windows/defense_evasion_rundll32_no_arguments.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/07/19"
 
 [rule]
 author = ["Elastic"]
@@ -9,8 +9,9 @@ description = """
 Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of
 RunDLL32 could indicate malicious activity.
 """
-from = "now-9m"
+from = "now-60m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+interval = "30m"
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Child Processes of RunDLL32"

rules/windows/execution_ms_office_written_file.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/07/19"
 
 [rule]
 author = ["Elastic"]
@@ -9,8 +9,9 @@ description = """
 Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often
 launched via scripts inside documents or during exploitation of MS Office applications.
 """
-from = "now-9m"
+from = "now-120m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+interval = "60m"
 language = "eql"
 license = "Elastic License v2"
 name = "Execution of File Written or Modified by Microsoft Office"

rules/windows/execution_pdf_written_file.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/07/19"
 
 [rule]
 author = ["Elastic"]
@@ -9,8 +9,9 @@ description = """
 Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are
 often launched via exploitation of PDF applications.
 """
-from = "now-9m"
+from = "now-120m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+interval = "60m"
 language = "eql"
 license = "Elastic License v2"
 name = "Execution of File Written or Modified by PDF Reader"