[Rule Tuning] Reduce Severity from Critical to High (#4637)

rules/threat_intel/threat_intel_indicator_match_address.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -101,7 +101,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64"
 setup = """## Setup
 
@@ -112,7 +112,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"

rules/threat_intel/threat_intel_indicator_match_email.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2025/04/11"
 maturity = "production"
-updated_date = "2025/04/11"
+updated_date = "2025/04/22"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "fcf18de8-ad7d-4d01-b3f7-a11d5b3883af"
 setup = """## Setup
 
@@ -79,7 +79,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"

rules/threat_intel/threat_intel_indicator_match_hash.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -100,7 +100,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca"
 setup = """## Setup
 
@@ -111,7 +111,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"

rules/threat_intel/threat_intel_indicator_match_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -95,7 +95,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60"
 setup = """## Setup
 
@@ -106,7 +106,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"

rules/threat_intel/threat_intel_indicator_match_url.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -104,7 +104,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3"
 setup = """## Setup
 
@@ -115,7 +115,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"

rules/threat_intel/threat_intel_rapid7_threat_command.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/05/29"
 integration = ["ti_rapid7_threat_command"]
 maturity = "production"
-updated_date = "2025/03/21"
+updated_date = "2025/04/22"
 
 [rule]
 author = ["Elastic"]
@@ -41,7 +41,7 @@ references = [
     "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
     "https://docs.elastic.co/integrations/ti_rapid7_threat_command",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "3a657da0-1df2-11ef-a327-f661ea17fbcc"
 setup = """
 ## Setup
@@ -57,7 +57,7 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu
 
 For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
-severity = "critical"
+severity = "high"
 tags = [
     "OS: Windows",
     "Data Source: Elastic Endgame",