[Security][Detection rules] Pull in rule updates from v0.13.1 update

NOTICE.txt

@@ -149,17 +149,17 @@ SOFTWARE.
 
 ---
 Detection Rules
-Copyright 2020 Elasticsearch B.V.
+Copyright 2021 Elasticsearch B.V.
 
 ---
 This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack
-which is available under a "MIT" license. The files based on this license are:
+which is available under a "MIT" license. The rules based on this license are:
 
-- defense_evasion_via_filter_manager
-- discovery_process_discovery_via_tasklist_command
-- persistence_priv_escalation_via_accessibility_features
-- persistence_via_application_shimming
-- defense_evasion_execution_via_trusted_developer_utilities
+- "Potential Evasion via Filter Manager" (06dceabf-adca-48af-ac79-ffdf4c3b1e9a)
+- "Process Discovery via Tasklist" (cc16f774-59f9-462d-8b98-d27ccd4519ec)
+- "Potential Modification of Accessibility Binaries" (7405ddf1-6c8e-41ce-818f-48bea6bcaed8)
+- "Potential Application Shimming via Sdbinst" (fd4a992d-6130-4802-9ff8-829b89ae801f)
+- "Trusted Developer Application Usage" (9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1)
 
 MIT License
 
@@ -185,9 +185,9 @@ SOFTWARE.
 
 ---
 This product bundles rules based on https://github.com/FSecureLABS/leonidas
-which is available under a "MIT" license. The files based on this license are:
+which is available under a "MIT" license. The rules based on this license are:
 
-- credential_access_secretsmanager_getsecretvalue.toml
+- "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622)
 
 MIT License
 

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: POST Request Declined",
-  "query": "http.response.status_code:403 and http.request.method:post",
+  "query": "http.response.status_code:403 and http.request.method:post\n",
   "references": [
     "https://en.wikipedia.org/wiki/HTTP_403"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: Unauthorized Method",
-  "query": "http.response.status_code:405",
+  "query": "http.response.status_code:405\n",
   "references": [
     "https://en.wikipedia.org/wiki/HTTP_405"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json

@@ -30,7 +30,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: No User Agent",
-  "query": "url.path:*",
+  "query": "url.path:*\n",
   "references": [
     "https://en.wikipedia.org/wiki/User_agent"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Web Application Suspicious Activity: sqlmap User Agent",
-  "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"",
+  "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n",
   "references": [
     "http://sqlmap.org/"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json

@@ -16,7 +16,7 @@
   "license": "Elastic License v2",
   "name": "Application Added to Google Workspace Domain",
   "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information.\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html",
-  "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION",
+  "query": "event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n",
   "references": [
     "https://support.google.com/a/answer/6328701?hl=en#"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "Attempt to Deactivate an Okta Network Zone",
   "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:okta.system and event.action:zone.deactivate",
+  "query": "event.dataset:okta.system and event.action:zone.deactivate\n",
   "references": [
     "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
     "https://developer.okta.com/docs/reference/api/system-log/",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "Attempt to Delete an Okta Network Zone",
   "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:okta.system and event.action:zone.delete",
+  "query": "event.dataset:okta.system and event.action:zone.delete\n",
   "references": [
     "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
     "https://developer.okta.com/docs/reference/api/system-log/",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json

@@ -16,7 +16,7 @@
   "license": "Elastic License v2",
   "name": "AWS CloudTrail Log Created",
   "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success",
+  "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
   "references": [
     "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
     "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "GCP Pub/Sub Subscription Creation",
   "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success",
+  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n",
   "references": [
     "https://cloud.google.com/pubsub/docs/overview"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json

@@ -14,7 +14,7 @@
   "license": "Elastic License v2",
   "name": "GCP Pub/Sub Topic Creation",
   "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success",
+  "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n",
   "references": [
     "https://cloud.google.com/pubsub/docs/admin"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json

@@ -17,7 +17,7 @@
   "license": "Elastic License v2",
   "name": "Microsoft 365 New Inbox Rule Created",
   "note": "## Config\n\nThe Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success",
+  "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-InboxRule\" and event.outcome:success\n",
   "references": [
     "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
     "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json

@@ -15,7 +15,7 @@
   "license": "Elastic License v2",
   "name": "Azure Event Hub Authorization Rule Created or Updated",
   "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
-  "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)",
+  "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n",
   "references": [
     "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json

@@ -12,7 +12,10 @@
   "language": "eql",
   "license": "Elastic License v2",
   "name": "Network Connection via Certutil",
-  "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\")]\n",
+  "query": "sequence by process.entity_id\n  [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n  [network where process.name : \"certutil.exe\" and\n    not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n                                  \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n                                  \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n                                  \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n                                  \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n                                  \"FE80::/10\", \"FF00::/8\")]\n",
+  "references": [
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+  ],
   "risk_score": 21,
   "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8",
   "severity": "low",
@@ -41,5 +44,5 @@
     }
   ],
   "type": "eql",
-  "version": 5
+  "version": 6
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json

@@ -13,7 +13,7 @@
   "license": "Elastic License v2",
   "name": "Cobalt Strike Command and Control Beacon",
   "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
-  "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/",
+  "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n",
   "references": [
     "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
     "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json

@@ -11,7 +11,7 @@
   "license": "Elastic License v2",
   "name": "Default Cobalt Strike Team Server Certificate",
   "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.",
-  "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)",
+  "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n  tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n  tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n",
   "references": [
     "https://attack.mitre.org/software/S0154/",
     "https://www.cobaltstrike.com/help-setup-collaboration",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json

@@ -13,10 +13,11 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "DNS Activity to the Internet",
-  "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or \"::1\" or \"FE80::/10\" or \"FF00::/8\")",
+  "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n  and source.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  ) and\n  not destination.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  )\n",
   "references": [
     "https://www.us-cert.gov/ncas/alerts/TA15-240A",
-    "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf"
+    "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf",
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
   ],
   "risk_score": 47,
   "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154",
@@ -40,5 +41,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 8
+  "version": 9
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json

@@ -12,7 +12,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "Potential DNS Tunneling via NsLookup",
-  "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)",
+  "query": "event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n",
   "references": [
     "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json

@@ -13,10 +13,11 @@
   "license": "Elastic License v2",
   "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
   "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
-  "query": "event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\\/8 OR 172.16.0.0\\/12 OR 192.168.0.0\\/16)",
+  "query": "event.category:(network or network_traffic) and network.protocol:http and\n  (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n    not destination.ip:(\n      10.0.0.0/8 or\n      127.0.0.0/8 or\n      169.254.0.0/16 or\n      172.16.0.0/12 or\n      192.0.0.0/24 or\n      192.0.0.0/29 or\n      192.0.0.8/32 or\n      192.0.0.9/32 or\n      192.0.0.10/32 or\n      192.0.0.170/32 or\n      192.0.0.171/32 or\n      192.0.2.0/24 or\n      192.31.196.0/24 or\n      192.52.193.0/24 or\n      192.168.0.0/16 or\n      192.88.99.0/24 or\n      224.0.0.0/4 or\n      100.64.0.0/10 or\n      192.175.48.0/24 or\n      198.18.0.0/15 or\n      198.51.100.0/24 or\n      203.0.113.0/24 or\n      240.0.0.0/4 or\n      \"::1\" or\n      \"FE80::/10\" or\n      \"FF00::/8\"\n    ) and\n    source.ip:(\n      10.0.0.0/8 or\n      172.16.0.0/12 or\n      192.168.0.0/16\n    )\n",
   "references": [
     "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
-    "https://www.justice.gov/opa/press-release/file/1084361/download"
+    "https://www.justice.gov/opa/press-release/file/1084361/download",
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
   ],
   "risk_score": 47,
   "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92",
@@ -46,5 +47,5 @@
   ],
   "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json

@@ -13,7 +13,7 @@
   "license": "Elastic License v2",
   "name": "Possible FIN7 DGA Command and Control Behavior",
   "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.",
-  "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us",
+  "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n",
   "references": [
     "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
   ],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json

@@ -13,7 +13,7 @@
   "license": "Elastic License v2",
   "name": "Halfbaked Command and Control Beacon",
   "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.",
-  "query": "event.category:(network OR network_traffic) AND network.protocol:http AND network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443)",
+  "query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n  network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n  destination.port:(53 OR 80 OR 8080 OR 443)\n",
   "references": [
     "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
     "https://attack.mitre.org/software/S0151/"

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json

@@ -15,7 +15,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "IPSEC NAT Traversal Port Activity",
-  "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500",
+  "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n",
   "risk_score": 21,
   "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7",
   "severity": "low",

x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json

@@ -15,7 +15,7 @@
   "language": "kuery",
   "license": "Elastic License v2",
   "name": "SMTP on Port 26/TCP",
-  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))",
+  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n",
   "references": [
     "https://unit42.paloaltonetworks.com/unit42-badpatch/",
     "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"