Adds timeline_id to all endpoint rules

- Uses the ID for the 'Generic Endpoint Timeline' from Elastic

rules/promotions/elastic_endpoint.toml

@@ -23,6 +23,7 @@ rule_name_override = "message"
 severity = "medium"
 tags = ["Elastic", "Endpoint"]
 timestamp_override = "event.ingested"
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
@@ -64,5 +65,3 @@ field = "event.severity"
 operator = "equals"
 value = "99"
 severity = "critical"
-
-

rules/promotions/endpoint_adversary_behavior_detected.toml

@@ -20,9 +20,9 @@ risk_score = 47
 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
 severity = "medium"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)
 '''
-

rules/promotions/endpoint_cred_dumping_detected.toml

@@ -20,9 +20,9 @@ risk_score = 73
 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
 severity = "high"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)
 '''
-

rules/promotions/endpoint_cred_dumping_prevented.toml

@@ -20,9 +20,9 @@ risk_score = 47
 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
 severity = "medium"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)
 '''
-

rules/promotions/endpoint_cred_manipulation_detected.toml

@@ -20,9 +20,9 @@ risk_score = 73
 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
 severity = "high"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)
 '''
-

rules/promotions/endpoint_cred_manipulation_prevented.toml

@@ -20,9 +20,9 @@ risk_score = 47
 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
 severity = "medium"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)
 '''
-

rules/promotions/endpoint_exploit_detected.toml

@@ -20,9 +20,9 @@ risk_score = 73
 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
 severity = "high"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
 '''
-

rules/promotions/endpoint_exploit_prevented.toml

@@ -20,9 +20,9 @@ risk_score = 47
 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
 severity = "medium"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
 '''
-

rules/promotions/endpoint_malware_detected.toml

@@ -20,9 +20,9 @@ risk_score = 99
 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
 severity = "critical"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)
 '''
-

rules/promotions/endpoint_malware_prevented.toml

@@ -20,9 +20,9 @@ risk_score = 73
 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
 severity = "high"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)
 '''
-

rules/promotions/endpoint_permission_theft_detected.toml

@@ -20,9 +20,9 @@ risk_score = 73
 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
 severity = "high"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
 '''
-

rules/promotions/endpoint_permission_theft_prevented.toml

@@ -20,9 +20,9 @@ risk_score = 47
 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
 severity = "medium"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
 '''
-

rules/promotions/endpoint_process_injection_detected.toml

@@ -20,9 +20,9 @@ risk_score = 73
 rule_id = "80c52164-c82a-402c-9964-852533d58be1"
 severity = "high"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
 '''
-

rules/promotions/endpoint_process_injection_prevented.toml

@@ -20,9 +20,9 @@ risk_score = 47
 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
 severity = "medium"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
 '''
-

rules/promotions/endpoint_ransomware_detected.toml

@@ -20,9 +20,9 @@ risk_score = 99
 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
 severity = "critical"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)
 '''
-

rules/promotions/endpoint_ransomware_prevented.toml

@@ -20,9 +20,9 @@ risk_score = 73
 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
 severity = "high"
 tags = ["Elastic", "Endpoint"]
+timeline_id = "546a9ab0-c738-11ea-ba51-73504b186a82"
 type = "query"
 
 query = '''
 event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)
 '''
-

rules/promotions/external_alerts.toml

@@ -56,5 +56,3 @@ field = "event.severity"
 operator = "equals"
 value = "99"
 severity = "critical"
-
-