Update persistence_site_and_user_customize_file_creation.toml

Aegrah · web-flow · commit 759f80191278 · 2025-02-28T09:54:37.000+01:00
diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml
@@ -54,6 +54,7 @@ tags = [
     "Tactic: Defense Evasion",
     "Data Source: Elastic Defend"
 ]
+timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.type in ("creation", "rename") and process.executable != null and

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ tags = [`
`54`	`54`	`"Tactic: Defense Evasion",`
`55`	`55`	`"Data Source: Elastic Defend"`
`56`	`56`	`]`
	`57`	`+timestamp_override = "event.ingested"`
`57`	`58`	`type = "eql"`
`58`	`59`	`query = '''`
`59`	`60`	`file where host.os.type == "linux" and event.type in ("creation", "rename") and process.executable != null and`