Refactor rules: drop "now-" prefix from within field

[JocLRojas]

Changes

Across 199 correlation rules, the within field in the afterEvents block changes from the legacy now-Xy form to the supported Xy form:

• within: now-5m → within: 5m
• within: now-30m → within: 30m
• within: now-1h → within: 1h
• ...and so on for every duration in use (60s, 1m, 2m, 5m, 10m, 15m, 30m, 1h, 2h, 4h, 6h, 12h, 24h)

215 lines removed, 215 lines added — strictly symmetric. No changes to detection logic, conditions, deduplication, or any other field.

Reasoning

The Xy form is the supported syntax for the within field. The legacy now-Xy form will be deprecated. This PR aligns the entire rule catalog with the format the engine actually supports.

Reference

N/A — internal rule catalog fix, no linked issue.

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.23
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.22
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.1
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.41.12
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.23
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.22
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.1
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

[github-actions]

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

✅ architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Refactored detection rule time windows from 'now-X' to 'X' syntax for consistency; no architectural impact.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: The PR changes 'within' syntax from 'now-X' to 'X' across many YAML files, which may break the detection engine's time-window parsing.

• high rules/antivirus/bitdefender_gz/av_console_lateral_movement.yml:38 — The change from 'now-30m' to '30m' likely breaks the detection engine's expected syntax for relative time windows. If the engine requires 'now-' prefix, these rules will fail to trigger.

✅ security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: The PR updates time-window syntax in YAML detection rules from 'now-X' to 'X', which is a configuration change and does not introduce security vulnerabilities.

No findings.

[utmstackprapprover]

Changes requested — see approver comments above.