Update rule intervals based on aggred values

shashank-elastic · shashank-elastic · commit 508097bf2ad0 · 2025-03-26T21:48:08.000+05:30
diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in
 the rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in
 the rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in
 the rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link
 in the rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link
 in the rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the
 rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-2m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml
@@ -10,9 +10,9 @@ description = """
 Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in
 the rule.reference column for additional information.
 """
-from = "now-15m"
+from = "now-1m"
 index = ["endgame-*"]
-interval = "10m"
+interval = "2m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
