Review Linux and macOS rules for Endgame compatibility

[Mikaayenson]

Description

Review rules for Endgame compatibility and add index.

• Create an endgame stack for testing purposes.
• Check datasets and make sure our rule query aligns.
• Check the fields in the query to make sure the field is available in the endgame event.
• Document differences between the Endgame dataset and Endpoint dataset if any appear.

cc @DefSecSentinel @Samirbous @w0rk3r @shashank-elastic

[Mikaayenson]

@Aegrah If you already did this on the Linux side, then maybe we should rename/scope this issue for macOS only so @DefSecSentinel can pick it up as BAU?

[Aegrah]

@Mikaayenson I did this a few months ago, but many new rules were introduced since then, so some inconsistencies might have slipped through. It's never bad to check. It would make sense to bucket this with a full round of DR tuning, which would only make sense in about 2-3 weeks, since 20-ish rules got pushed last 3 weeks that should first gather some telemetry.

[Aegrah]

@w0rk3r did a great job also adding Endgame compatibility to the Linux rules in his 3rd party EDR initiative Meta: https://github.com/elastic/security-team/issues/8029#issuecomment-2578900206. Linux should, after merging all of these in, be g2g in terms of the endgame compatibility.

We may either close this out, or scope it specifically for MacOS. @Mikaayenson