Add timestamp override to netcat execution rule

Aegrah · web-flow · commit 69c6d16fb565 · 2025-10-31T10:39:27.000+01:00
diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
@@ -128,6 +128,7 @@ tags = [
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
 ]
+timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and

Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,7 @@ tags = [`
`128`	`128`	`"Data Source: Crowdstrike",`
`129`	`129`	`"Data Source: SentinelOne",`
`130`	`130`	`]`
	`131`	`+timestamp_override = "event.ingested"`
`131`	`132`	`type = "eql"`
`132`	`133`	`query = '''`
`133`	`134`	`process where host.os.type == "linux" and event.type == "start" and`