diff --git a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml b/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml index fc25a264eb..876457d2c8 100644 --- a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml +++ b/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml @@ -42,7 +42,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_cloud_instances_destroyed.yml b/baselines/baseline_of_cloud_instances_destroyed.yml index 063ffb6163..e5361a2665 100644 --- a/baselines/baseline_of_cloud_instances_destroyed.yml +++ b/baselines/baseline_of_cloud_instances_destroyed.yml @@ -47,7 +47,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_cloud_instances_launched.yml b/baselines/baseline_of_cloud_instances_launched.yml index 43074b35ce..bcfabcdcca 100644 --- a/baselines/baseline_of_cloud_instances_launched.yml +++ b/baselines/baseline_of_cloud_instances_launched.yml @@ -47,7 +47,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml b/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml index f9ba8051dc..c83f4941f9 100644 --- a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml +++ b/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml @@ -41,7 +41,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_command_line_length___mltk.yml b/baselines/baseline_of_command_line_length___mltk.yml index d72a9ffa40..b089029ec6 100644 --- a/baselines/baseline_of_command_line_length___mltk.yml +++ b/baselines/baseline_of_command_line_length___mltk.yml @@ -48,7 +48,7 @@ tags: security_domain: endpoint deployment: scheduling: - cron_schedule: 0 0 1 * * + cron_schedule: '{minute} 0 1 * *' earliest_time: -30d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_dns_query_length___mltk.yml b/baselines/baseline_of_dns_query_length___mltk.yml index 0d0921e6fe..396673ce10 100644 --- a/baselines/baseline_of_dns_query_length___mltk.yml +++ b/baselines/baseline_of_dns_query_length___mltk.yml @@ -42,7 +42,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 0 */30 * * + cron_schedule: '{minute} 0 */30 * *' earliest_time: -30d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_kubernetes_container_network_io.yml b/baselines/baseline_of_kubernetes_container_network_io.yml index 63ecf5e914..ceb10dc6b7 100644 --- a/baselines/baseline_of_kubernetes_container_network_io.yml +++ b/baselines/baseline_of_kubernetes_container_network_io.yml @@ -50,7 +50,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -30d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_kubernetes_container_network_io_ratio.yml b/baselines/baseline_of_kubernetes_container_network_io_ratio.yml index 05799ca815..1fc113c3f3 100644 --- a/baselines/baseline_of_kubernetes_container_network_io_ratio.yml +++ b/baselines/baseline_of_kubernetes_container_network_io_ratio.yml @@ -50,7 +50,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -30d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_kubernetes_process_resource.yml b/baselines/baseline_of_kubernetes_process_resource.yml index cb7c999811..c7e052dab1 100644 --- a/baselines/baseline_of_kubernetes_process_resource.yml +++ b/baselines/baseline_of_kubernetes_process_resource.yml @@ -46,7 +46,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -30d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_kubernetes_process_resource_ratio.yml b/baselines/baseline_of_kubernetes_process_resource_ratio.yml index a92b872bd1..f99a2ac41a 100644 --- a/baselines/baseline_of_kubernetes_process_resource_ratio.yml +++ b/baselines/baseline_of_kubernetes_process_resource_ratio.yml @@ -60,7 +60,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -30d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/baseline_of_open_s3_bucket_decommissioning.yml b/baselines/baseline_of_open_s3_bucket_decommissioning.yml index 4f3ca4f8df..5604b0f136 100644 --- a/baselines/baseline_of_open_s3_bucket_decommissioning.yml +++ b/baselines/baseline_of_open_s3_bucket_decommissioning.yml @@ -58,7 +58,7 @@ tags: security_domain: audit deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -30d@d latest_time: -1d@d schedule_window: auto \ No newline at end of file diff --git a/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml b/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml index 76a9d53576..45b7369e36 100644 --- a/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml +++ b/baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml @@ -30,7 +30,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml b/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml index ed6a275c00..fece2314db 100644 --- a/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml +++ b/baselines/previously_seen_cloud_compute_creations_by_user___initial.yml @@ -27,7 +27,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_cloud_compute_images___initial.yml b/baselines/previously_seen_cloud_compute_images___initial.yml index 963cdf7af0..f62875328d 100644 --- a/baselines/previously_seen_cloud_compute_images___initial.yml +++ b/baselines/previously_seen_cloud_compute_images___initial.yml @@ -29,7 +29,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_cloud_compute_instance_types___initial.yml b/baselines/previously_seen_cloud_compute_instance_types___initial.yml index 1f325d98c9..87b2344a7f 100644 --- a/baselines/previously_seen_cloud_compute_instance_types___initial.yml +++ b/baselines/previously_seen_cloud_compute_instance_types___initial.yml @@ -28,7 +28,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml b/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml index 4685a5d45e..636abb2fc6 100644 --- a/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml +++ b/baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml @@ -28,7 +28,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml b/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml index 0296b5697c..704567ae01 100644 --- a/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml +++ b/baselines/previously_seen_cloud_provisioning_activity_sources___initial.yml @@ -35,7 +35,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_cloud_regions___initial.yml b/baselines/previously_seen_cloud_regions___initial.yml index 68a9aaac84..2d28d7ecae 100644 --- a/baselines/previously_seen_cloud_regions___initial.yml +++ b/baselines/previously_seen_cloud_regions___initial.yml @@ -30,7 +30,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_running_windows_services___initial.yml b/baselines/previously_seen_running_windows_services___initial.yml index 429efbceae..0a06707f49 100644 --- a/baselines/previously_seen_running_windows_services___initial.yml +++ b/baselines/previously_seen_running_windows_services___initial.yml @@ -29,7 +29,7 @@ tags: security_domain: endpoint deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_running_windows_services___update.yml b/baselines/previously_seen_running_windows_services___update.yml index e5ef21ba42..977080b620 100644 --- a/baselines/previously_seen_running_windows_services___update.yml +++ b/baselines/previously_seen_running_windows_services___update.yml @@ -34,7 +34,7 @@ tags: security_domain: endpoint deployment: scheduling: - cron_schedule: 55 * * * * + cron_schedule: '{minute} * * * *' earliest_time: -70m@m latest_time: -10m@m schedule_window: auto diff --git a/baselines/previously_seen_users_in_cloudtrail___initial.yml b/baselines/previously_seen_users_in_cloudtrail___initial.yml index 39b4d4f14c..c707d5b397 100644 --- a/baselines/previously_seen_users_in_cloudtrail___initial.yml +++ b/baselines/previously_seen_users_in_cloudtrail___initial.yml @@ -36,7 +36,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_zoom_child_processes___initial.yml b/baselines/previously_seen_zoom_child_processes___initial.yml index 812ab81ab0..cd4196ced6 100644 --- a/baselines/previously_seen_zoom_child_processes___initial.yml +++ b/baselines/previously_seen_zoom_child_processes___initial.yml @@ -30,7 +30,7 @@ tags: security_domain: endpoint deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: '{minute} 2 * * 0' earliest_time: -90d@d latest_time: -1d@d schedule_window: auto diff --git a/baselines/previously_seen_zoom_child_processes___update.yml b/baselines/previously_seen_zoom_child_processes___update.yml index 350131e49a..471f84592e 100644 --- a/baselines/previously_seen_zoom_child_processes___update.yml +++ b/baselines/previously_seen_zoom_child_processes___update.yml @@ -35,7 +35,7 @@ tags: security_domain: endpoint deployment: scheduling: - cron_schedule: 55 * * * * + cron_schedule: '{minute} * * * *' earliest_time: -70m@m latest_time: -10m@m schedule_window: auto diff --git a/deployments/escu_default_configuration_anomaly.yml b/deployments/escu_default_configuration_anomaly.yml index f620cb822a..4211a14ca1 100644 --- a/deployments/escu_default_configuration_anomaly.yml +++ b/deployments/escu_default_configuration_anomaly.yml @@ -5,9 +5,9 @@ author: Patrick Bareiss description: This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting. scheduling: - cron_schedule: 0 * * * * - earliest_time: -70m@m - latest_time: -10m@m + cron_schedule: '{minute} * * * *' + earliest_time: -60m@m + latest_time: +10m@m schedule_window: auto alert_action: rba: diff --git a/deployments/escu_default_configuration_baseline.yml b/deployments/escu_default_configuration_baseline.yml index 21249611e5..d46b5833eb 100644 --- a/deployments/escu_default_configuration_baseline.yml +++ b/deployments/escu_default_configuration_baseline.yml @@ -4,8 +4,8 @@ date: '2021-12-21' author: Patrick Bareiss description: This configuration file applies to all detections of type baseline. scheduling: - cron_schedule: 10 0 * * * - earliest_time: -1450m@m - latest_time: -10m@m + cron_schedule: '{minute} 0 * * *' + earliest_time: -1440m@m + latest_time: +10m@m schedule_window: auto type: Baseline diff --git a/deployments/escu_default_configuration_correlation.yml b/deployments/escu_default_configuration_correlation.yml index 9d160e8f74..60e2dff2a8 100644 --- a/deployments/escu_default_configuration_correlation.yml +++ b/deployments/escu_default_configuration_correlation.yml @@ -5,9 +5,9 @@ author: Patrick Bareiss description: This configuration file applies to all detections of type Correlation. These correlations will generate Notable Events. scheduling: - cron_schedule: 0 * * * * - earliest_time: -70m@m - latest_time: -10m@m + cron_schedule: '{minute} * * * *' + earliest_time: -60m@m + latest_time: +10m@m schedule_window: auto alert_action: notable: diff --git a/deployments/escu_default_configuration_hunting.yml b/deployments/escu_default_configuration_hunting.yml index 1a6704fe3b..4ef5e1b8a4 100644 --- a/deployments/escu_default_configuration_hunting.yml +++ b/deployments/escu_default_configuration_hunting.yml @@ -4,8 +4,8 @@ date: '2021-12-21' author: Patrick Bareiss description: This configuration file applies to all detections of type hunting. scheduling: - cron_schedule: 0 * * * * - earliest_time: -70m@m - latest_time: -10m@m + cron_schedule: '{minute} * * * *' + earliest_time: -60m@m + latest_time: +10m@m schedule_window: auto type: Hunting diff --git a/deployments/escu_default_configuration_ttp.yml b/deployments/escu_default_configuration_ttp.yml index f9eac54b5d..3b4b0699d9 100644 --- a/deployments/escu_default_configuration_ttp.yml +++ b/deployments/escu_default_configuration_ttp.yml @@ -5,9 +5,9 @@ author: Patrick Bareiss description: This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events. scheduling: - cron_schedule: 0 * * * * - earliest_time: -70m@m - latest_time: -10m@m + cron_schedule: '*/15 * * * *' + earliest_time: -60m@m + latest_time: +10m@m schedule_window: auto alert_action: notable: diff --git a/dist/.gitkeep b/dist/.gitkeep deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/removed/baselines/previously_seen_aws_cross_account_activity___initial.yml b/removed/baselines/previously_seen_aws_cross_account_activity___initial.yml index 94fbc5f84c..fcedf70335 100644 --- a/removed/baselines/previously_seen_aws_cross_account_activity___initial.yml +++ b/removed/baselines/previously_seen_aws_cross_account_activity___initial.yml @@ -34,7 +34,7 @@ tags: security_domain: network deployment: scheduling: - cron_schedule: 0 2 * * 0 + cron_schedule: \{minute\} 2 * * 0 earliest_time: -90d@d latest_time: -1d@d schedule_window: auto