linted; adjusted queries

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to
-immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior detections only, and does not include prevention alerts.
+Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule
+allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend
+behavior detections only, and does not include prevention alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Behavior - Detected - Elastic Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/behavior",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 47
 rule_id = "0f615fe4-eaa2-11ee-ae33-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior and message: *detection*
+event.kind : alert and event.code : behavior and (event.type : allowed or (event.type: denied and event.outcome: failure))
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule allows you to
-immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend behavior preventions only, and does not include detection only alerts.
+Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule
+allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Endpoint Defend
+behavior preventions only, and does not include detection only alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Behavior - Prevented - Endpoint Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/behavior",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 21
 rule_id = "eb804972-ea34-11ee-a417-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior and message: *prevention*
+event.kind : alert and event.code : behavior and event.type : denied and event.outcome : success
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to
-immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file detections only, and does not include prevention alerts.
+Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows
+you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend
+malicious file detections only, and does not include prevention alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Malicious File - Detected - Elastic Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/yara",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 47
 rule_id = "f2c3caa6-ea34-11ee-a417-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: malicious_file and message: *detection*
+event.kind : alert and event.code : malicious_file and (event.type : allowed or (event.type: denied and event.outcome: failure))
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows you to
-immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend malicious file preventions only, and does not include detection only alerts.
+Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows
+you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend
+malicious file preventions only, and does not include detection only alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Malicious File - Prevented - Elastic Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/yara",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 21
 rule_id = "f87e6122-ea34-11ee-a417-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: malicious_file and message: *prevention*
+event.kind : alert and event.code : malicious_file and event.type : denied and event.outcome : success
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to
-immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature detections only, and does not include prevention alerts.
+Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule
+allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend
+memory signature detections only, and does not include prevention alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Memory Signature - Detected - Elastic Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/yara",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 47
 rule_id = "017de1e4-ea35-11ee-a417-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: (memory_signature or  shellcode_thread) and message: *detection*
+event.kind : alert and event.code : (memory_signature or shellcode_thread) and (event.type : allowed or (event.type: denied and event.outcome: failure))
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule allows you to
-immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend memory signature preventions only, and does not include detection only alerts.
+Generates a detection alert each time an Elastic Defend alert for memory signatures are received. Enabling this rule
+allows you to immediately begin investigating your Endpoint memory signature alerts. This rule identifies Elastic Defend
+memory signature preventions only, and does not include detection only alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Memory Signature - Prevented- Elastic Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/yara",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 21
 rule_id = "06f3a26c-ea35-11ee-a417-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: (memory_signature or  shellcode_thread) and message: *prevention*
+event.kind : alert and event.code : (memory_signature or shellcode_thread) or event.type : denied or event.outcome : success
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to
-immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware detections only, and does not include prevention alerts.
+Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you
+to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware
+detections only, and does not include prevention alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Ransomware - Detected - Elastic Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/ransomware",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 47
 rule_id = "0c74cd7e-ea35-11ee-a417-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: ransomware and message: *detection*
+event.kind : alert and event.code : ransomware and (event.type : allowed or (event.type: denied and event.outcome: failure))
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml

@@ -4,14 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.16.0"
-updated_date = "2024/11/26"
 promotion = true
+updated_date = "2024/11/26"
 
 [rule]
 author = ["Elastic"]
 description = """
-Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you to
-immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware preventions only, and does not include detection only alerts.
+Generates a detection alert each time an Elastic Defend alert for ransomware are received. Enabling this rule allows you
+to immediately begin investigating your Endpoint ransomware alerts. This rule identifies Elastic Defend ransomware
+preventions only, and does not include detection only alerts.
 """
 enabled = true
 from = "now-10m"
@@ -22,7 +23,7 @@ max_signals = 10000
 name = "Ransomware - Prevented - Elastic Defend"
 references = [
     "https://github.com/elastic/protections-artifacts/tree/main/ransomware",
-    "https://docs.elastic.co/en/integrations/endpoint"
+    "https://docs.elastic.co/en/integrations/endpoint",
 ]
 risk_score = 21
 rule_id = "10f3d520-ea35-11ee-a417-f661ea17fbce"
@@ -33,7 +34,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame) and event.code: ransomware and message: *prevention*
+event.kind : alert and event.code : ransomware and event.type : denied and event.outcome : success
 '''