[Detection Rules] Add 7.9.1 rules updates

[brokensound77]

Summary

This updates pre-built security rules with changes from elastic/detection-rules#200 which increased the lookback on all rules targeting the logs.endpoint.events.* index by 3 minutes each

[spong]

Lookback and version updates LGTM -- thanks @brokensound77! 🙂

[kibanamachine]

💛 Build succeeded, but was flaky

• continuous-integration/kibana-ci/pull-request
• Commit: 5a9eb19
• Flaky suites:
  • xpack-kibana-ciGroup6

---

Test Failures

X-Pack Security API Integration Tests.x-pack/test/security_api_integration/tests/session_idle/cleanup·ts.security APIs - Session Idle Session Idle cleanup "before each" hook for "should properly clean up session expired because of idle timeout"

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]       │
[00:00:00]         └-: security APIs - Session Idle
[00:00:00]           └-> "before all" hook
[00:00:00]           └-: Session Idle cleanup
[00:00:00]             └-> "before all" hook
[00:00:00]             └-> should properly clean up session expired because of idle timeout
[00:00:00]               └-> "before each" hook: global before each
[00:00:00]               └-> "before each" hook
[00:00:00]                 │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1598397971431267183] [.kibana_1/q49HUBGTQVyMfJUBRrh1zw] update_mapping [_doc]
[00:00:00]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1598397971431267183] [.kibana_security_session_1] creating index, cause [api], templates [.kibana_security_session_index_template_1], shards [1]/[0]
[00:00:00]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1598397971431267183] [.apm-custom-link] creating index, cause [api], templates [], shards [1]/[1]
[00:00:00]                 │ info [o.e.c.r.a.AllocationService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1598397971431267183] updating number_of_replicas to [0] for indices [.apm-custom-link]
[00:00:00]                 │ info [r.suppressed] [kibana-ci-immutable-ubuntu-16-tests-xxl-1598397971431267183] path: /.kibana_security_session*/_delete_by_query, params: {q=*, refresh=true, index=.kibana_security_session*}
[00:00:00]                 │      org.elasticsearch.action.search.SearchPhaseExecutionException: all shards failed
[00:00:00]                 │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onPhaseFailure(AbstractSearchAsyncAction.java:538) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.executeNextPhase(AbstractSearchAsyncAction.java:309) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onPhaseDone(AbstractSearchAsyncAction.java:569) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onShardFailure(AbstractSearchAsyncAction.java:387) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction$1.onFailure(AbstractSearchAsyncAction.java:245) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.search.SearchExecutionStatsCollector.onFailure(SearchExecutionStatsCollector.java:73) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.ActionListenerResponseHandler.handleException(ActionListenerResponseHandler.java:59) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.search.SearchTransportService$ConnectionCountingHandler.handleException(SearchTransportService.java:403) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.transport.TransportService$6.handleException(TransportService.java:579) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1119) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.processException(TransportService.java:1228) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:1202) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:61) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.transport.TransportChannel.sendErrorResponse(TransportChannel.java:56) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.support.ChannelActionListener.onFailure(ChannelActionListener.java:51) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.search.SearchService.lambda$runAsync$0(SearchService.java:414) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:647) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
[00:00:00]                 │      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
[00:00:00]                 │      	at java.lang.Thread.run(Thread.java:832) [?:?]
[00:00:00]                 └- ✖ fail: security APIs - Session Idle Session Idle cleanup "before each" hook for "should properly clean up session expired because of idle timeout"
[00:00:00]                 │      Error: [search_phase_execution_exception] all shards failed
[00:00:00]                 │       at respond (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)
[00:00:00]                 │       at checkRespForFailure (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)
[00:00:00]                 │       at HttpConnector.<anonymous> (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
[00:00:00]                 │       at IncomingMessage.wrapper (/dev/shm/workspace/kibana/node_modules/lodash/lodash.js:4949:19)
[00:00:00]                 │       at endReadableNT (_stream_readable.js:1145:12)
[00:00:00]                 │       at process._tickCallback (internal/process/next_tick.js:63:19)
[00:00:00]                 │ 
[00:00:00]                 │ 

Stack Trace

{ Error: [search_phase_execution_exception] all shards failed
    at respond (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/dev/shm/workspace/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/dev/shm/workspace/kibana/node_modules/lodash/lodash.js:4949:19)
    at endReadableNT (_stream_readable.js:1145:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)
  status: 503,
  displayName: 'ServiceUnavailable',
  message: '[search_phase_execution_exception] all shards failed',
  path: '/.kibana_security_session*/_delete_by_query',
  query: { q: '*', refresh: true },
  body:
   { error:
      { root_cause: [],
        type: 'search_phase_execution_exception',
        reason: 'all shards failed',
        phase: 'query',
        grouped: true,
        failed_shards: [] },
     status: 503 },
  statusCode: 503,
  response:
   '{"error":{"root_cause":[],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[]},"status":503}',
  toString: [Function],
  toJSON: [Function] }

---

Build metrics

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[brokensound77]

security APIs - Session Idle Session Idle cleanup "before each" hook for "should properly clean up session expired because of idle timeout"

Seems to be not directly related to any of these rule changes