* Revert #1440 new endpoint promotion rule
* Set the updated_at date
Removed changes from:
- rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml
(selectively cherry picked from commit c9d6527280)
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types
(cherry picked from commit 8b2c8c2e03)
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
(cherry picked from commit 3b338baab0)
Ross Wolf