Refactor rules: drop "now-" prefix from within field

rules/antivirus/bitdefender_gz/av_console_lateral_movement.yml

@@ -35,7 +35,7 @@ afterEvents:
       - field: log.hostId
         operator: filter_term
         value: '{{.log.hostId}}'
-    within: now-30m
+    within: 30m
     count: 10
 groupBy:
   - lastEvent.log.eventType

rules/antivirus/bitdefender_gz/av_policy_override.yml

@@ -36,7 +36,7 @@ afterEvents:
       - field: log.hostId
         operator: filter_term
         value: '{{.log.hostId}}'
-    within: now-1h
+    within: 1h
     count: 3
 groupBy:
   - lastEvent.log.eventType

rules/antivirus/bitdefender_gz/malware_outbreak_multiple_hosts.yml

@@ -41,7 +41,7 @@ afterEvents:
       - field: log.eventType
         operator: filter_term
         value: "AntiMalware"
-    within: now-2h
+    within: 2h
     count: 10
 groupBy:
   - lastEvent.log.signatureID

rules/antivirus/bitdefender_gz/multiple_malware_from_single_source.yml

@@ -47,7 +47,7 @@ afterEvents:
       - field: log.eventType
         operator: filter_term
         value: "AntiMalware"
-    within: now-1h
+    within: 1h
     count: 5
 groupBy:
   - lastEvent.log.hostId

rules/antivirus/bitdefender_gz/network_threat_detection.yml

@@ -39,7 +39,7 @@ afterEvents:
       - field: origin.ip
         operator: filter_term
         value: '{{.origin.ip}}'
-    within: now-2h
+    within: 2h
     count: 5
     or:
       - indexPattern: v11-log-antivirus-bitdefender-gz-*
@@ -50,7 +50,7 @@ afterEvents:
           - field: log.eventType
             operator: filter_term
             value: 'network-sandboxing'
-        within: now-4h
+        within: 4h
         count: 3
 groupBy:
   - lastEvent.log.hostId

rules/antivirus/bitdefender_gz/ransomware_behavior_detection.yml

@@ -37,7 +37,7 @@ afterEvents:
       - field: log.hostId
         operator: filter_term
         value: '{{.log.hostId}}'
-    within: now-10m
+    within: 10m
     count: 5
 groupBy:
   - lastEvent.log.hostId

rules/antivirus/bitdefender_gz/usb_malware_propagation.yml

@@ -36,7 +36,7 @@ afterEvents:
       - field: log.hostId
         operator: filter_term
         value: '{{.log.hostId}}'
-    within: now-30m
+    within: 30m
     count: 5
 groupBy:
   - lastEvent.log.eventType

rules/antivirus/deceptive-bytes/advanced_threat_tactic_identification.yml

@@ -43,7 +43,7 @@ afterEvents:
       - field: log.tacticName
         operator: filter_term
         value: '{{.log.tacticName}}'
-    within: now-15m
+    within: 15m
     count: 3
 groupBy:
   - lastEvent.log.tacticName

rules/antivirus/deceptive-bytes/data_theft_attempt_indicators.yml

@@ -38,7 +38,7 @@ afterEvents:
       - field: log.event_type
         operator: filter_term
         value: 'decoy_accessed'
-    within: now-2h
+    within: 2h
     count: 3
 groupBy:
   - lastEvent.log.decoy_file

rules/antivirus/deceptive-bytes/deception_token_access_patterns.yml

@@ -40,7 +40,7 @@ afterEvents:
       - field: log.eventType
         operator: filter_term
         value: 'token_access'
-    within: now-1h
+    within: 1h
     count: 3
 groupBy:
   - lastEvent.log.tokenId

rules/antivirus/deceptive-bytes/decoy_share_access_monitoring.yml

@@ -37,7 +37,7 @@ afterEvents:
       - field: log.resourceType
         operator: filter_term
         value: 'network_share'
-    within: now-30m
+    within: 30m
     count: 3
 deduplicateBy:
   - adversary.ip

rules/antivirus/deceptive-bytes/honey_table_query_detection.yml

@@ -36,7 +36,7 @@ afterEvents:
       - field: log.eventType
         operator: filter_term
         value: decoy_access
-    within: now-1h
+    within: 1h
     count: 5
 groupBy:
   - lastEvent.log.tableName

rules/antivirus/deceptive-bytes/ransomware_behavior_patterns.yml

@@ -39,7 +39,7 @@ afterEvents:
       - field: log.source_ip
         operator: filter_term
         value: '{{.log.source_ip}}'
-    within: now-15m
+    within: 15m
     count: 10
 groupBy:
   - lastEvent.log.hostname

rules/antivirus/deceptive-bytes/zero_day_behavior_patterns.yml

@@ -46,7 +46,7 @@ afterEvents:
       - field: log.processName
         operator: filter_term
         value: '{{.log.processName}}'
-    within: now-30m
+    within: 30m
     count: 2
 groupBy:
   - lastEvent.log.exploitTechnique

rules/antivirus/esmc-eset/advanced_heuristic_detection_triggers.yml

@@ -38,7 +38,7 @@ afterEvents:
       - field: log.headHostname
         operator: filter_term
         value: '{{.log.headHostname}}'
-    within: now-30m
+    within: 30m
     count: 3
 groupBy:
   - lastEvent.log.headHostname

rules/antivirus/esmc-eset/eset_console_abuse.yml

@@ -38,7 +38,7 @@ afterEvents:
       - field: log.headHostname
         operator: filter_term
         value: '{{.log.headHostname}}'
-    within: now-30m
+    within: 30m
     count: 10
 groupBy:
   - lastEvent.log.headHostname

rules/antivirus/esmc-eset/eset_quarantine_failures.yml

@@ -35,7 +35,7 @@ afterEvents:
       - field: log.headHostname
         operator: filter_term
         value: '{{.log.headHostname}}'
-    within: now-1h
+    within: 1h
     count: 5
 groupBy:
   - lastEvent.log.headHostname

rules/antivirus/kaspersky/data_exfiltration_attempts.yml

@@ -45,7 +45,7 @@ afterEvents:
       - field: log.cat
         operator: filter_term
         value: NetworkThreat
-    within: now-30m
+    within: 30m
     count: 5
 groupBy:
   - origin.ip

rules/antivirus/kaspersky/kaspersky_ransomware_behavior.yml

@@ -36,5 +36,5 @@ afterEvents:
       - field: log.src
         operator: filter_term
         value: '{{.log.src}}'
-    within: now-10m
+    within: 10m
     count: 3

rules/antivirus/kaspersky/lateral_movement_indicators.yml

@@ -41,5 +41,5 @@ afterEvents:
       - field: log.src
         operator: filter_term
         value: '{{.log.src}}'
-    within: now-2h
+    within: 2h
     count: 3

rules/antivirus/kaspersky/suspicious_network_activity.yml

@@ -46,7 +46,7 @@ afterEvents:
       - field: log.dstIP
         operator: filter_term
         value: '{{.log.dstIP}}'
-    within: now-30m
+    within: 30m
     count: 5
 groupBy:
   - target.ip

rules/cisco/asa/ips_signature_matches.yml

@@ -35,7 +35,7 @@ afterEvents:
       - field: origin.ip
         operator: filter_term
         value: '{{.origin.ip}}'
-    within: now-15m
+    within: 15m
     count: 3
 groupBy:
   - adversary.ip

rules/cisco/asa/multiple_failed_vpn_attempts.yml

@@ -40,7 +40,7 @@ afterEvents:
       - field: log.messageId
         operator: filter_term
         value: '113015'
-    within: now-15m
+    within: 15m
     count: 10
     or:
       - indexPattern: v11-log-firewall-cisco-asa-*
@@ -51,7 +51,7 @@ afterEvents:
           - field: log.messageId
             operator: filter_term
             value: '113021'
-        within: now-15m
+        within: 15m
         count: 10
       - indexPattern: v11-log-firewall-cisco-asa-*
         with:
@@ -61,7 +61,7 @@ afterEvents:
           - field: log.messageId
             operator: filter_term
             value: '109034'
-        within: now-15m
+        within: 15m
         count: 10
       - indexPattern: v11-log-firewall-cisco-asa-*
         with:
@@ -71,7 +71,7 @@ afterEvents:
           - field: log.messageId
             operator: filter_term
             value: '611102'
-        within: now-15m
+        within: 15m
         count: 10
 groupBy:
   - adversary.ip

rules/cisco/cs_switch/arp_poisoning_detection.yml

@@ -36,7 +36,7 @@ afterEvents:
       - field: origin.ip
         operator: filter_term
         value: '{{.origin.ip}}'
-    within: now-10m
+    within: 10m
     count: 5
 groupBy:
   - adversary.ip

rules/cisco/cs_switch/mac_address_spoofing.yml

@@ -36,7 +36,7 @@ afterEvents:
       - field: origin.mac
         operator: filter_term
         value: '{{.origin.mac}}'
-    within: now-10m
+    within: 10m
     count: 3
 groupBy:
   - adversary.mac

rules/cisco/firepower/c2_nonstandard_port.yml

@@ -40,7 +40,7 @@ afterEvents:
       - field: target.ip
         operator: filter_term
         value: '{{.target.ip}}'
-    within: now-1h
+    within: 1h
     count: 5
 groupBy:
   - adversary.ip

rules/cisco/meraki/meraki_vpn_brute_force.yml

@@ -33,7 +33,7 @@ afterEvents:
       - field: origin.ip
         operator: filter_term
         value: '{{.origin.ip}}'
-    within: now-15m
+    within: 15m
     count: 10
 groupBy:
   - adversary.ip

rules/cloud/aws/aws/aws_ecs_credential_theft.yml

@@ -38,7 +38,7 @@ afterEvents:
       - field: log.eventSource
         operator: filter_term
         value: 'ecs.amazonaws.com'
-    within: now-30m
+    within: 30m
     count: 5
 groupBy:
   - adversary.user

rules/cloud/aws/aws/aws_golden_saml_attack.yml

@@ -34,22 +34,22 @@ afterEvents:
       - field: log.userIdentityAccountId
         operator: filter_term
         value: '{{.log.userIdentityAccountId}}'
-    within: now-24h
+    within: 24h
     count: 1
     or:
       - indexPattern: v11-log-aws-*
         with:
           - field: log.eventName
             operator: filter_term
             value: 'UpdateSAMLProvider'
-        within: now-24h
+        within: 24h
         count: 1
       - indexPattern: v11-log-aws-*
         with:
           - field: log.eventName
             operator: filter_term
             value: 'CreateSAMLProvider'
-        within: now-24h
+        within: 24h
         count: 1
 groupBy:
   - adversary.user

rules/cloud/aws/aws/aws_securityhub_finding_evasion.yml

@@ -38,7 +38,7 @@ afterEvents:
       - field: log.eventSource
         operator: filter_term
         value: 'securityhub.amazonaws.com'
-    within: now-30m
+    within: 30m
     count: 5
 groupBy:
   - adversary.user

rules/cloud/aws/aws/aws_ssm_sendcommand_abuse.yml

@@ -36,7 +36,7 @@ afterEvents:
       - field: log.eventSource
         operator: filter_term
         value: 'ssm.amazonaws.com'
-    within: now-30m
+    within: 30m
     count: 5
 groupBy:
   - adversary.user

rules/cloud/aws/aws/aws_sso_suspicious_activities.yml

@@ -38,7 +38,7 @@ afterEvents:
       - field: log.eventSource
         operator: filter_term
         value: 'sso.amazonaws.com'
-    within: now-30m
+    within: 30m
     count: 10
 groupBy:
   - lastEvent.log.sourceIPAddress

rules/cloud/aws/aws/cloudformation_stack_deletion.yml

@@ -34,7 +34,7 @@ afterEvents:
       - field: log.eventSource
         operator: filter_term
         value: 'cloudformation.amazonaws.com'
-    within: now-30m
+    within: 30m
     count: 5
 groupBy:
   - lastEvent.log.userIdentityAccountId

rules/cloud/aws/aws/console_login_impossible_travel.yml

@@ -41,7 +41,7 @@ afterEvents:
       - field: origin.geolocation.countryCode
         operator: must_not_term
         value: '{{.origin.geolocation.countryCode}}'
-    within: now-30m
+    within: 30m
     count: 1
 groupBy:
   - adversary.user

rules/cloud/aws/aws/cross_account_access_anomalies.yml

@@ -40,7 +40,7 @@ afterEvents:
       - field: log.eventName
         operator: filter_term
         value: 'AssumeRole'
-    within: now-15m
+    within: 15m
     count: 15
 groupBy:
   - lastEvent.log.responseElementsAssumedRoleUserArn

rules/cloud/aws/aws/iam_backdoor_creation_attempts.yml

@@ -33,7 +33,7 @@ afterEvents:
       - field: log.eventSource
         operator: filter_term
         value: 'iam.amazonaws.com'
-    within: now-30m
+    within: 30m
     count: 3
 groupBy:
   - lastEvent.log.sourceIPAddress

rules/cloud/aws/aws/iam_privilege_escalation_paths.yml

@@ -39,7 +39,7 @@ afterEvents:
       - field: log.eventSource
         operator: filter_term
         value: iam.amazonaws.com
-    within: now-30m
+    within: 30m
     count: 3
 groupBy:
   - adversary.user

rules/cloud/aws/aws/lambda_privilege_escalation.yml

@@ -39,7 +39,7 @@ afterEvents:
       - field: log.eventName
         operator: filter_term
         value: AttachRolePolicy
-    within: now-1h
+    within: 1h
     count: 2
 groupBy:
   - lastEvent.log.requestParameters.roleArn

rules/cloud/aws/aws/mass_resource_deletion.yml

@@ -32,7 +32,7 @@ afterEvents:
       - field: log.userIdentity.arn
         operator: filter_term
         value: '{{.log.userIdentity.arn}}'
-    within: now-10m
+    within: 10m
     count: 15
 groupBy:
   - lastEvent.log.sourceIPAddress