[Rule Tuning] Decrease Interval to 1m for Endpoint Promotions (#4450)

Mikaayenson · web-flow · commit c7f538571130 · 2025-02-07T08:30:35.000-06:00
diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/17"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ allows you to immediately begin investigating your Endpoint memory signature ale
 memory signature detections only, and does not include prevention alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ allows you to immediately begin investigating your Endpoint memory signature ale
 memory signature preventions only, and does not include detection only alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 promotion = true
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -14,8 +14,9 @@ Generates a detection alert each time an Elastic Defend alert is received. Enabl
 immediately begin investigating your Endpoint alerts.
 """
 enabled = true
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/17"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ allows you to immediately begin investigating your Endpoint behavior alerts. Thi
 behavior detections only, and does not include prevention alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/17"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ allows you to immediately begin investigating your Endpoint behavior alerts. Thi
 behavior preventions only, and does not include detection only alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/17"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ you to immediately begin investigating your Endpoint malicious file alerts. This
 malicious file detections only, and does not include prevention alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/17"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ you to immediately begin investigating your Endpoint malicious file alerts. This
 malicious file preventions only, and does not include detection only alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/17"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ to immediately begin investigating your Endpoint ransomware alerts. This rule id
 detections only, and does not include prevention alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/01/17"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ to immediately begin investigating your Endpoint ransomware alerts. This rule id
 preventions only, and does not include detection only alerts.
 """
 enabled = false
-from = "now-10m"
+from = "now-2m"
 index = ["logs-endpoint.alerts-*"]
-interval = "5m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
