From 10833682322ada3ab32c7a29f29bbaae07404f37 Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Wed, 15 Jan 2020 00:55:55 -0700 Subject: [PATCH] [SIEM][Detection Engine] Order JSON keys, fix scripts, update pre-packaged rules ## Summary * Updates pre-packaged rules * Adds rule_id duplicate check into the linter * Updates the scripts for converting saved objects to rules * Adds a script for re-generating the `index.ts` for the rules ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) --- .../scripts/convert_saved_search_to_rules.js | 58 +- .../rules/get_prepackaged_rules.test.ts | 23 +- .../rules/get_prepackaged_rules.ts | 8 +- .../403_response_to_a_post.json | 17 + .../405_response_method_not_allowed.json | 17 + .../500_response_on_admin_page.json | 17 + ...nd_shell_started_by_internet_explorer.json | 60 +- .../command_shell_started_by_powershell.json | 60 +- .../command_shell_started_by_svchost.json | 60 +- ...rk_detect_large_outbound_icmp_packets.json | 17 + ...k_detect_long_dns_txt_record_response.json | 17 + ...s_passing_authentication_in_cleartext.json | 17 + ...windows_child_processes_of_spoolsvexe.json | 17 + ...indows_detect_new_local_admin_account.json | 17 + ...ws_detect_psexec_with_accepteula_flag.json | 17 + ..._cmdexe_to_launch_script_interpreters.json | 17 + .../ece_windows_new_external_device.json | 17 + ...ce_windows_processes_created_by_netsh.json | 17 + ...ece_windows_processes_launching_netsh.json | 17 + ...ece_windows_windows_event_log_cleared.json | 17 + ...den_file_attribute_with_via_attribexe.json | 16 +- .../eql_adobe_hijack_persistence.json | 16 +- .../eql_audio_capture_via_powershell.json | 16 +- .../eql_audio_capture_via_soundrecorder.json | 16 +- .../eql_bypass_uac_event_viewer.json | 16 +- .../eql_bypass_uac_via_cmstp.json | 16 +- .../eql_bypass_uac_via_sdclt.json | 16 +- .../eql_clearing_windows_event_logs.json | 16 +- ...delete_volume_usn_journal_with_fsutil.json | 16 +- ...deleting_backup_catalogs_with_wbadmin.json | 16 +- .../eql_direct_outbound_smb_connection.json | 16 +- ...ble_windows_firewall_rules_with_netsh.json | 16 +- .../eql_dll_search_order_hijack.json | 16 +- ...coding_or_decoding_files_via_certutil.json | 16 +- .../eql_local_scheduled_task_commands.json | 16 +- .../eql_local_service_commands.json | 16 +- ...ql_modification_of_boot_configuration.json | 16 +- ...ql_msbuild_making_network_connections.json | 16 +- .../eql_mshta_making_network_connections.json | 16 +- .../eql_msxsl_making_network_connections.json | 16 +- .../eql_psexec_lateral_movement_command.json | 16 +- ...ql_suspicious_ms_office_child_process.json | 16 +- ...l_suspicious_ms_outlook_child_process.json | 16 +- ...l_suspicious_pdf_reader_child_process.json | 16 +- .../eql_system_shells_via_services.json | 16 +- ...usual_network_connection_via_rundll32.json | 16 +- .../eql_unusual_parentchild_relationship.json | 16 +- ...ql_unusual_process_network_connection.json | 16 +- .../eql_user_account_creation.json | 16 +- ...eql_user_added_to_administrator_group.json | 16 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 16 +- ..._volume_shadow_copy_deletion_via_wmic.json | 16 +- ...l_windows_script_executing_powershell.json | 16 +- .../eql_wmic_command_lateral_movement.json | 16 +- .../rules/prepackaged_rules/index.ts | 681 +++++++++++------- .../linux_hping_activity.json | 66 +- .../linux_iodine_activity.json | 66 +- ...va_process_connecting_to_the_internet.json | 96 +-- .../linux_kernel_module_activity.json | 66 +- .../linux_ldso_process_activity.json | 16 +- .../linux_lzop_activity.json | 17 + ..._lzop_activity_possible_julianrunnels.json | 16 +- .../linux_mknod_activity.json | 66 +- .../linux_netcat_network_connection.json | 93 +-- ...k_anomalous_process_using_https_ports.json | 16 +- .../linux_nmap_activity.json | 66 +- .../linux_nping_activity.json | 66 +- ...nux_process_started_in_temp_directory.json | 66 +- .../linux_ptrace_activity.json | 41 +- .../linux_rawshark_activity.json | 66 +- .../linux_shell_activity_by_web_server.json | 16 +- .../linux_socat_activity.json | 16 + .../linux_ssh_forwarding.json | 19 + .../linux_strace_activity.json | 66 +- .../linux_tcpdump_activity.json | 41 +- .../linux_unusual_shell_activity.json | 78 +- .../prepackaged_rules/linux_web_download.json | 41 +- .../linux_whoami_commmand.json | 66 +- .../network_dns_directly_to_the_internet.json | 16 +- ...fer_protocol_activity_to_the_internet.json | 16 +- ...hat_protocol_activity_to_the_internet.json | 16 +- .../network_nat_traversal_port_activity.json | 16 +- .../network_port_26_activity.json | 16 +- .../network_port_8000_activity.json | 16 +- ...rk_port_8000_activity_to_the_internet.json | 16 +- ..._to_point_tunneling_protocol_activity.json | 16 +- ...k_proxy_port_activity_to_the_internet.json | 16 +- ...te_desktop_protocol_from_the_internet.json | 16 +- ...mote_desktop_protocol_to_the_internet.json | 16 +- ...mote_procedure_call_from_the_internet.json | 16 +- ...remote_procedure_call_to_the_internet.json | 16 +- ...file_sharing_activity_to_the_internet.json | 16 +- .../network_smtp_to_the_internet.json | 16 +- ..._server_port_activity_to_the_internet.json | 16 +- ...rk_ssh_secure_shell_from_the_internet.json | 16 +- ...work_ssh_secure_shell_to_the_internet.json | 16 +- .../network_telnet_port_activity.json | 16 +- .../network_tor_activity_to_the_internet.json | 16 +- ...l_network_computing_from_the_internet.json | 16 +- ...ual_network_computing_to_the_internet.json | 16 +- .../prepackaged_rules/null_user_agent.json | 35 + .../powershell_network_connection.json | 60 +- .../process_execution_via_wmi.json | 16 +- ...ed_by_acrobat_reader_possible_payload.json | 42 +- ...by_ms_office_program_possible_payload.json | 42 +- .../process_started_by_windows_defender.json | 16 +- .../prepackaged_rules/psexec_activity.json | 16 +- .../prepackaged_rules/search_windows_10.json | 40 +- .../splunk_child_processes_of_spoolsvexe.json | 16 +- ...nk_detect_large_outbound_icmp_packets.json | 16 +- ...k_detect_long_dns_txt_record_response.json | 16 +- ...splunk_detect_new_local_admin_account.json | 16 +- ...nk_detect_psexec_with_accepteula_flag.json | 16 +- ..._cmdexe_to_launch_script_interpreters.json | 16 +- .../splunk_processes_created_by_netsh.json | 16 +- .../splunk_processes_launching_netsh.json | 16 +- ...s_passing_authentication_in_cleartext.json | 16 +- .../splunk_windows_event_log_cleared.json | 16 +- .../prepackaged_rules/sqlmap_user_agent.json | 17 + ...ed_invokecommand_powershell_execution.json | 44 +- ...ncoded_newobject_powershell_execution.json | 44 +- ...ded_startprocess_powershell_execution.json | 44 +- ...gory_a_suspicious_string_was_detected.json | 16 +- ...ttempted_administrator_privilege_gain.json | 18 +- ..._category_attempted_denial_of_service.json | 18 +- ...a_category_attempted_information_leak.json | 16 +- ...empted_login_with_suspicious_username.json | 18 +- ...ategory_attempted_user_privilege_gain.json | 18 +- ...ta_category_client_using_unusual_port.json | 16 +- ...egory_crypto_currency_mining_activity.json | 16 +- ...icata_category_decode_of_an_rpc_query.json | 16 +- ...t_username_and_password_login_attempt.json | 18 +- .../suricata_category_denial_of_service.json | 18 +- ...ata_category_denial_of_service_attack.json | 18 +- ...category_executable_code_was_detected.json | 18 +- ...uricata_category_exploit_kit_activity.json | 18 +- ...ategory_external_ip_address_retrieval.json | 18 +- .../suricata_category_generic_icmp_event.json | 16 +- ...egory_generic_protocol_command_decode.json | 16 +- .../suricata_category_information_leak.json | 18 +- ...category_large_scale_information_leak.json | 18 +- ..._malware_command_and_control_activity.json | 18 +- .../suricata_category_misc_activity.json | 16 +- .../suricata_category_misc_attack.json | 18 +- ...ricata_category_network_scan_detected.json | 16 +- ...cata_category_network_trojan_detected.json | 18 +- ...ategory_nonstandard_protocol_or_event.json | 18 +- ...icata_category_not_suspicious_traffic.json | 16 +- .../suricata_category_observed_c2_domain.json | 18 +- ...possible_social_engineering_attempted.json | 18 +- ...ta_category_possibly_unwanted_program.json | 18 +- ...potential_corporate_privacy_violation.json | 18 +- ...cata_category_potentially_bad_traffic.json | 18 +- ...lly_vulnerable_web_application_access.json | 18 +- ...ccessful_administrator_privilege_gain.json | 18 +- ..._category_successful_credential_theft.json | 18 +- ...tegory_successful_user_privilege_gain.json | 18 +- ...category_suspicious_filename_detected.json | 18 +- ...uricata_category_system_call_detected.json | 18 +- ..._category_targeted_malicious_activity.json | 18 +- ...cata_category_tcp_connection_detected.json | 16 +- .../suricata_category_unknown_traffic.json | 16 +- ...gory_unsuccessful_user_privilege_gain.json | 18 +- ...icata_category_web_application_attack.json | 18 +- ...baltstrike_artifact_in_an_dns_request.json | 18 +- ...a_commonly_abused_dns_domain_detected.json | 16 +- ...eversal_characters_in_an_http_request.json | 16 +- ...aversal_characters_in_an_http_request.json | 38 + ...traversal_characters_in_http_response.json | 39 +- ...tory_traversal_in_downloaded_zip_file.json | 39 +- ...icata_dns_traffic_on_unusual_tcp_port.json | 41 +- ...icata_dns_traffic_on_unusual_udp_port.json | 16 +- ...ta_double_encoded_characters_in_a_uri.json | 16 +- ...le_encoded_characters_in_an_http_post.json | 16 +- ...le_encoded_characters_in_http_request.json | 38 + ..._eval_php_function_in_an_http_request.json | 16 +- .../suricata_exploit_cve_2018_1000861.json | 35 + .../suricata_exploit_cve_2019_0227.json | 35 + .../suricata_exploit_cve_2019_0232.json | 35 + .../suricata_exploit_cve_2019_0604.json | 35 + .../suricata_exploit_cve_2019_0708.json | 35 + .../suricata_exploit_cve_2019_0752.json | 35 + .../suricata_exploit_cve_2019_1003000.json | 35 + .../suricata_exploit_cve_2019_10149.json | 35 + .../suricata_exploit_cve_2019_11043.json | 35 + .../suricata_exploit_cve_2019_11510.json | 35 + .../suricata_exploit_cve_2019_11580.json | 35 + .../suricata_exploit_cve_2019_11581.json | 35 + .../suricata_exploit_cve_2019_13450.json | 35 + .../suricata_exploit_cve_2019_13505.json | 35 + .../suricata_exploit_cve_2019_15107.json | 35 + .../suricata_exploit_cve_2019_15846.json | 35 + .../suricata_exploit_cve_2019_16072.json | 35 + .../suricata_exploit_cve_2019_1652.json | 35 + .../suricata_exploit_cve_2019_16662.json | 35 + .../suricata_exploit_cve_2019_16759.json | 35 + .../suricata_exploit_cve_2019_16928.json | 35 + .../suricata_exploit_cve_2019_17270.json | 35 + .../suricata_exploit_cve_2019_1821.json | 35 + .../suricata_exploit_cve_2019_19781.json | 35 + .../suricata_exploit_cve_2019_2618.json | 35 + .../suricata_exploit_cve_2019_2725.json | 35 + .../suricata_exploit_cve_2019_3396.json | 35 + .../suricata_exploit_cve_2019_3929.json | 35 + .../suricata_exploit_cve_2019_5533.json | 35 + .../suricata_exploit_cve_2019_6340.json | 35 + .../suricata_exploit_cve_2019_7256.json | 35 + .../suricata_exploit_cve_2019_9978.json | 35 + ..._on_unusual_port_internet_destination.json | 16 +- ..._on_unusual_port_internet_destination.json | 16 +- ..._on_unusual_port_internet_destination.json | 16 +- ...cata_lazagne_artifact_in_an_http_post.json | 16 +- ...ta_mimikatz_artifacts_in_an_http_post.json | 16 +- ...katz_string_detected_in_http_response.json | 16 +- ...uricata_nondns_traffic_on_tcp_port_53.json | 16 +- ...uricata_nondns_traffic_on_udp_port_53.json | 16 +- .../suricata_nonftp_traffic_on_port_21.json | 16 +- ...ricata_nonhttp_traffic_on_tcp_port_80.json | 16 +- ...ata_nonimap_traffic_on_port_1443_imap.json | 16 +- ...ta_nonsmb_traffic_on_tcp_port_139_smb.json | 16 +- .../suricata_nonssh_traffic_on_port_22.json | 16 +- .../suricata_nontls_on_tls_port.json | 16 +- ...alt_strike_malleable_c2_null_response.json | 16 +- ...ion_sql_commands_in_http_transactions.json | 16 +- .../suricata_rpc_traffic_on_http_ports.json | 16 +- .../suricata_serialized_php_detected.json | 16 +- ...ell_exec_php_function_in_an_http_post.json | 16 +- ...c_not_on_port_22_internet_destination.json | 16 +- ..._on_unusual_port_internet_destination.json | 16 +- ...executable_served_by_jpeg_web_content.json | 16 +- ...uspicious_process_started_by_a_script.json | 42 +- ...rvice_bits_connecting_to_the_internet.json | 16 +- .../windows_burp_ce_activity.json | 16 +- ...s_certutil_connecting_to_the_internet.json | 16 +- ...and_prompt_connecting_to_the_internet.json | 16 +- ...nd_shell_started_by_internet_explorer.json | 16 + ...s_command_shell_started_by_powershell.json | 16 + ...dows_command_shell_started_by_svchost.json | 16 + .../windows_credential_dumping_commands.json | 16 +- ...dows_credential_dumping_via_imageload.json | 16 +- ..._credential_dumping_via_registry_save.json | 16 +- ...ows_data_compression_using_powershell.json | 16 +- ...fense_evasion_decoding_using_certutil.json | 16 +- ...asion_or_persistence_via_hidden_files.json | 16 +- ...ws_defense_evasion_via_filter_manager.json | 16 +- ...e_evasion_via_windows_event_log_tools.json | 16 +- ...dows_execution_via_compiled_html_file.json | 16 +- ...dows_execution_via_connection_manager.json | 16 +- ...on_via_microsoft_html_application_hta.json | 16 +- ...dows_execution_via_net_com_assemblies.json | 16 +- .../windows_execution_via_regsvr32.json | 16 +- ...ution_via_trusted_developer_utilities.json | 16 +- ...le_program_connecting_to_the_internet.json | 16 +- ...dows_image_load_from_a_temp_directory.json | 40 +- .../windows_indirect_command_execution.json | 16 +- .../windows_iodine_activity.json | 16 +- ...agement_instrumentation_wmi_execution.json | 16 +- ...cation_hta_connecting_to_the_internet.json | 16 +- .../windows_mimikatz_activity.json | 41 +- ...isc_lolbin_connecting_to_the_internet.json | 16 +- ...ommand_activity_by_the_system_account.json | 51 +- .../windows_net_user_command_activity.json | 41 +- .../windows_netcat_activity.json | 41 +- .../windows_netcat_network_activity.json | 41 +- ...ous_windows_process_using_https_ports.json | 16 +- .../windows_nmap_activity.json | 41 +- .../windows_nmap_scan_activity.json | 41 +- ...dows_payload_obfuscation_via_certutil.json | 16 +- ...stence_or_priv_escalation_via_hooking.json | 16 +- ..._persistence_via_application_shimming.json | 16 +- .../windows_persistence_via_bits_jobs.json | 16 +- ..._via_modification_of_existing_service.json | 16 +- ...s_persistence_via_netshell_helper_dll.json | 16 +- ...powershell_connecting_to_the_internet.json | 16 +- ...escalation_via_accessibility_features.json | 16 +- ...rocess_discovery_via_tasklist_command.json | 16 +- .../windows_process_execution_via_wmi.json | 17 + ...ed_by_acrobat_reader_possible_payload.json | 16 + ...by_ms_office_program_possible_payload.json | 16 + ...s_process_started_by_the_java_runtime.json | 41 +- .../windows_psexec_activity.json | 17 + ...er_program_connecting_to_the_internet.json | 16 +- .../windows_registry_query_local.json | 16 +- .../windows_registry_query_network.json | 16 +- .../windows_remote_management_execution.json | 16 +- .../windows_scheduled_task_activity.json | 16 +- ...nterpreter_connecting_to_the_internet.json | 16 +- ...windows_signed_binary_proxy_execution.json | 16 +- ...igned_binary_proxy_execution_download.json | 16 +- ...uspicious_process_started_by_a_script.json | 16 + .../windows_whoami_command_activity.json | 41 +- .../windows_windump_activity.json | 17 + .../windows_wireshark_activity.json | 16 +- .../prepackaged_rules/windump_activity.json | 16 +- .../zeek_notice_capturelosstoo_much_loss.json | 16 +- .../zeek_notice_conncontent_gap.json | 16 +- ...tice_connretransmission_inconsistency.json | 16 +- .../zeek_notice_dnsexternal_name.json | 16 +- .../zeek_notice_ftpbruteforcing.json | 16 +- .../zeek_notice_ftpsite_exec_success.json | 16 +- ...notice_heartbleedssl_heartbeat_attack.json | 16 +- ...eartbleedssl_heartbeat_attack_success.json | 16 +- ...heartbleedssl_heartbeat_many_requests.json | 16 +- ...ce_heartbleedssl_heartbeat_odd_length.json | 16 +- ...eek_notice_httpsql_injection_attacker.json | 16 +- .../zeek_notice_httpsql_injection_victim.json | 16 +- .../zeek_notice_intelnotice.json | 16 +- .../zeek_notice_noticetally.json | 16 +- ...ice_packetfiltercannot_bpf_shunt_conn.json | 16 +- ...ek_notice_packetfiltercompile_failure.json | 16 +- ...ek_notice_packetfilterdropped_packets.json | 16 +- ...ek_notice_packetfilterinstall_failure.json | 16 +- ...etfilterno_more_conn_shunts_available.json | 16 +- ...acketfiltertoo_long_to_compile_filter.json | 16 +- ...notice_protocoldetectorprotocol_found.json | 16 +- ...k_notice_protocoldetectorserver_found.json | 16 +- .../zeek_notice_scanaddress_scan.json | 16 +- .../zeek_notice_scanport_scan.json | 16 +- ...zeek_notice_signaturescount_signature.json | 16 +- ...ice_signaturesmultiple_sig_responders.json | 16 +- ..._notice_signaturesmultiple_signatures.json | 16 +- ..._notice_signaturessensitive_signature.json | 16 +- ...ek_notice_signaturessignature_summary.json | 16 +- ...eek_notice_smtpblocklist_blocked_host.json | 16 +- ...ek_notice_smtpblocklist_error_message.json | 16 +- ...eek_notice_smtpsuspicious_origination.json | 16 +- ...otice_softwaresoftware_version_change.json | 16 +- ...eek_notice_softwarevulnerable_version.json | 16 +- ..._notice_sshinteresting_hostname_login.json | 16 +- ...k_notice_sshlogin_by_password_guesser.json | 16 +- .../zeek_notice_sshpassword_guessing.json | 16 +- .../zeek_notice_sshwatched_country_login.json | 16 +- .../zeek_notice_sslcertificate_expired.json | 16 +- ...ek_notice_sslcertificate_expires_soon.json | 16 +- ...k_notice_sslcertificate_not_valid_yet.json | 16 +- .../zeek_notice_sslinvalid_ocsp_response.json | 16 +- .../zeek_notice_sslinvalid_server_cert.json | 16 +- .../zeek_notice_sslold_version.json | 16 +- .../zeek_notice_sslweak_cipher.json | 16 +- .../zeek_notice_sslweak_key.json | 16 +- ...ice_teamcymrumalwarehashregistrymatch.json | 16 +- .../zeek_notice_traceroutedetected.json | 16 +- .../zeek_notice_weirdactivity.json | 16 +- .../scripts/regen_prepackge_rules_index.sh | 33 + 344 files changed, 4760 insertions(+), 3708 deletions(-) create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json create mode 100755 x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh diff --git a/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js b/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js index 0da44eec3aaa30..4243e67ca1320c 100644 --- a/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js +++ b/x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_rules.js @@ -38,17 +38,6 @@ const TO = 'now'; const IMMUTABLE = true; const RISK_SCORE = 50; const ENABLED = false; -let allRules = `/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -// Auto generated file from scripts/convert_saved_search_rules.js -// Do not hand edit. Run the script against a set of saved searches instead - -`; -const allRulesNdJson = 'index.ts'; // For converting, if you want to use these instead of rely on the defaults then // comment these in and use them for the script. Otherwise this is commented out @@ -133,22 +122,19 @@ async function main() { }, []); savedSearchesParsed.forEach( - ( - { - _file, - attributes: { - description, - title, - kibanaSavedObjectMeta: { - searchSourceJSON: { - query: { query, language }, - filter, - }, + ({ + _file, + attributes: { + description, + title, + kibanaSavedObjectMeta: { + searchSourceJSON: { + query: { query, language }, + filter, }, }, }, - index - ) => { + }) => { const fileToWrite = cleanupFileName(_file); // remove meta value from the filter @@ -157,20 +143,20 @@ async function main() { return filterValue; }); const outputMessage = { - rule_id: uuid.v4(), - risk_score: RISK_SCORE, description: description || title, + enabled: ENABLED, + filters: filterWithoutMeta, + from: FROM, immutable: IMMUTABLE, interval: INTERVAL, + language, name: title, + query, + risk_score: RISK_SCORE, + rule_id: uuid.v4(), severity: SEVERITY, - type: TYPE, - from: FROM, to: TO, - query, - language, - filters: filterWithoutMeta, - enabled: ENABLED, + type: TYPE, version: 1, // comment these in if you want to use these for input output, otherwise // with these two commented out, we will use the default saved objects from spaces. @@ -182,16 +168,8 @@ async function main() { `${outputDir}/${fileToWrite}.json`, `${JSON.stringify(outputMessage, null, 2)}\n` ); - allRules += `import rule${index + 1} from './${fileToWrite}.json';\n`; } ); - allRules += '\n'; - allRules += 'export const rawRules = [\n'; - savedSearchesParsed.forEach((_, index) => { - allRules += ` rule${index + 1},\n`; - }); - allRules += '];\n'; - fs.writeFileSync(`${outputDir}/${allRulesNdJson}`, allRules); } if (require.main === module) { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts index 24184b023bee3b..260147ed0506c8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts @@ -5,15 +5,36 @@ */ import { getPrepackagedRules } from './get_prepackaged_rules'; +import { RuleAlertParamsRest } from '../types'; +import { isEmpty } from 'lodash/fp'; describe('get_existing_prepackaged_rules', () => { test('should not throw any errors with the existing checked in pre-packaged rules', () => { expect(() => getPrepackagedRules()).not.toThrow(); }); + test('no rule should have the same rule_id as another rule_id', () => { + const prePacakgedRules = getPrepackagedRules(); + let existingRuleIds: RuleAlertParamsRest[] = []; + prePacakgedRules.forEach(rule => { + const foundDuplicate = existingRuleIds.reduce((accum, existingRule) => { + if (existingRule.rule_id === rule.rule_id) { + return `Found duplicate rule_id of ${rule.rule_id} between these two rule names of "${rule.name}" and "${existingRule.name}"`; + } else { + return accum; + } + }, ''); + if (!isEmpty(foundDuplicate)) { + expect(foundDuplicate).toEqual(''); + } else { + existingRuleIds = [...existingRuleIds, rule]; + } + }); + }); + test('should throw an exception if a pre-packaged rule is not valid', () => { expect(() => getPrepackagedRules([{ not_valid_made_up_key: true }])).toThrow( - 'name: "(rule_name unknown)", rule_id: "(rule_id unknown)" within the folder rules/prepackaged_rules is not a valid detection engine rule. Expect the system to not work with pre-packaged rules until this rule is fixed or the file is removed. Error is: child "description" fails because ["description" is required]' + 'name: "(rule name unknown)", rule_id: "(rule rule_id unknown)" within the folder rules/prepackaged_rules is not a valid detection engine rule. Expect the system to not work with pre-packaged rules until this rule is fixed or the file is removed. Error is: child "description" fails because ["description" is required], Full rule contents are:\n{\n "not_valid_made_up_key": true\n}' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts index 376ad4eb287d5b..855d0d73f6796a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts @@ -19,13 +19,15 @@ export const validateAllPrepackagedRules = ( return rules.map(rule => { const validatedRule = addPrepackagedRulesSchema.validate(rule); if (validatedRule.error != null) { - const ruleName = rule.name ? rule.name : '(rule_name unknown)'; - const ruleId = rule.rule_id ? rule.rule_id : '(rule_id unknown)'; + const ruleName = rule.name ? rule.name : '(rule name unknown)'; + const ruleId = rule.rule_id ? rule.rule_id : '(rule rule_id unknown)'; throw new TypeError( `name: "${ruleName}", rule_id: "${ruleId}" within the folder rules/prepackaged_rules ` + `is not a valid detection engine rule. Expect the system ` + `to not work with pre-packaged rules until this rule is fixed ` + - `or the file is removed. Error is: ${validatedRule.error.message}` + `or the file is removed. Error is: ${ + validatedRule.error.message + }, Full rule contents are:\n${JSON.stringify(rule, null, 2)}` ); } else { return validatedRule.value; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json new file mode 100644 index 00000000000000..932f1986045574 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -0,0 +1,17 @@ +{ + "description": "403 Response to a POST", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "403 Response to a POST", + "query": "http.response.status_code:403 and http.request.method:post", + "risk_score": 50, + "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json new file mode 100644 index 00000000000000..d4c9a40ddb45f1 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -0,0 +1,17 @@ +{ + "description": "405 Response (Method Not Allowed)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "405 Response (Method Not Allowed)", + "query": "http.response.status_code:405", + "risk_score": 50, + "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json new file mode 100644 index 00000000000000..62312003797326 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json @@ -0,0 +1,17 @@ +{ + "description": "500 Response on Admin page", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "500 Response on Admin page", + "query": "url.path:\"/admin/\" and http.response.status_code:500", + "risk_score": 50, + "rule_id": "054f669c-b065-492e-acd9-15e44fc42380", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json index 1fd9fc0bb0d32c..bb9d8c60040f6e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json @@ -1,29 +1,22 @@ { - "rule_id": "a0b554d2-85ed-4998-ada3-4ca58b508b35", - "risk_score": 50, "description": "Command shell started by Internet Explorer", - "immutable": true, - "interval": "5m", - "name": "Command shell started by Internet Explorer", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:iexplore.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "cmd.exe", + "negate": false, "params": { "query": "cmd.exe" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "cmd.exe" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Internet Explorer", + "query": "process.parent.name:iexplore.exe", + "risk_score": 50, + "rule_id": "a0b554d2-85ed-4998-ada3-4ca58b508b35", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json index 594e3d5f650f9d..d9820f90c55ee4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json @@ -1,29 +1,22 @@ { - "rule_id": "ab4bbfa5-4127-40bf-852f-bdc6afdb2a06", - "risk_score": 50, "description": "Command shell started by Powershell", - "immutable": true, - "interval": "5m", - "name": "Command shell started by Powershell", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:powershell.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "cmd.exe", + "negate": false, "params": { "query": "cmd.exe" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "cmd.exe" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Powershell", + "query": "process.parent.name:powershell.exe", + "risk_score": 50, + "rule_id": "ab4bbfa5-4127-40bf-852f-bdc6afdb2a06", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json index 02f7516d5cd794..a11f69fc3048f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json @@ -1,29 +1,22 @@ { - "rule_id": "2e4f8a5e-ce68-44e0-9243-1f57d44c4f30", - "risk_score": 50, "description": "Command shell started by Svchost", - "immutable": true, - "interval": "5m", - "name": "Command shell started by Svchost", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:svchost.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "cmd.exe", + "negate": false, "params": { "query": "cmd.exe" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "cmd.exe" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Svchost", + "query": "process.parent.name:svchost.exe", + "risk_score": 50, + "rule_id": "2e4f8a5e-ce68-44e0-9243-1f57d44c4f30", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json new file mode 100644 index 00000000000000..faa1c97e4badaa --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json @@ -0,0 +1,17 @@ +{ + "description": "Network - Detect Large Outbound ICMP Packets", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Network - Detect Large Outbound ICMP Packets", + "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "4fce2a7e-0e11-4f17-bae3-8873c5ae62be", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json new file mode 100644 index 00000000000000..f034e4999107f3 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json @@ -0,0 +1,17 @@ +{ + "description": "Network - Detect Long DNS TXT Record Response", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Network - Detect Long DNS TXT Record Response", + "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", + "risk_score": 50, + "rule_id": "cc28f445-318e-4850-8b0d-5ad53eaded74", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json new file mode 100644 index 00000000000000..d1b5f6be750401 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json @@ -0,0 +1,17 @@ +{ + "description": "Network - Protocols passing authentication in cleartext", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Network - Protocols passing authentication in cleartext", + "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", + "risk_score": 50, + "rule_id": "31f32b3c-415a-4a18-b60f-5748a337246b", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json new file mode 100644 index 00000000000000..60d5ffe918585f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Child Processes of Spoolsv.exe", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Child Processes of Spoolsv.exe", + "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", + "risk_score": 50, + "rule_id": "dcc45d35-f42e-4f97-81e8-90b0597ea0d1", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json new file mode 100644 index 00000000000000..ca27234b0d8ae0 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Detect New Local Admin account", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Detect New Local Admin account", + "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", + "risk_score": 50, + "rule_id": "461db51b-b1a1-49de-ac63-e1bcbd445602", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json new file mode 100644 index 00000000000000..25dcd8234e092f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Detect PsExec With accepteula Flag", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Detect PsExec With accepteula Flag", + "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", + "risk_score": 50, + "rule_id": "304b0e0c-bd06-46f8-aeda-2e719ae434d1", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json new file mode 100644 index 00000000000000..70d06ca9a4777d --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", + "risk_score": 50, + "rule_id": "b17c215e-8fa5-4087-b8d1-87761a90d710", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json new file mode 100644 index 00000000000000..9dbc8d7cbb7ede --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - New External Device Attached", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - New External Device Attached", + "query": "event.code:6416", + "risk_score": 50, + "rule_id": "c0747553-5763-5d85-cd97-898f2daa2bde", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json new file mode 100644 index 00000000000000..3f4e1a6243a969 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Processes created by netsh", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Processes created by netsh", + "query": "process.parent.name:netsh.exe", + "risk_score": 50, + "rule_id": "e312dd9e-4760-4a71-a241-9b9a835a51c4", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json new file mode 100644 index 00000000000000..34d08d7596e118 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Processes launching netsh", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Processes launching netsh", + "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", + "risk_score": 50, + "rule_id": "3b8db8aa-5734-405e-8dda-703129078a35", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json new file mode 100644 index 00000000000000..bd82247203f005 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json @@ -0,0 +1,17 @@ +{ + "description": "Windows - Windows Event Log Cleared", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows - Windows Event Log Cleared", + "query": "event.code:(1102 or 1100)", + "risk_score": 50, + "rule_id": "b94b5177-ca7f-468a-9a1d-aef39c30a3ae", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 7bddffb4734ef0..a65a386cb827e7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,17 +1,17 @@ { - "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "risk_score": 50, "description": "EQL - Adding the Hidden File Attribute with via attrib.exe", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Adding the Hidden File Attribute with via attrib.exe", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", + "risk_score": 50, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index d57e5c7709b246..e5d797f3fc1319 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,17 +1,17 @@ { - "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "risk_score": 50, "description": "EQL - Adobe Hijack Persistence", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Adobe Hijack Persistence", + "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", + "risk_score": 50, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index da3cf0fb460259..ef65bd3ecef35d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -1,17 +1,17 @@ { - "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", - "risk_score": 50, "description": "EQL - Audio Capture via PowerShell", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Audio Capture via PowerShell", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", + "risk_score": 50, + "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index cc0091feb290d8..89eec55d827d6d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -1,17 +1,17 @@ { - "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", - "risk_score": 50, "description": "EQL - Audio Capture via SoundRecorder", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Audio Capture via SoundRecorder", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", + "risk_score": 50, + "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index bdc85045009cb6..80f83991516a67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -1,17 +1,17 @@ { - "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", - "risk_score": 50, "description": "EQL -Bypass UAC Event Viewer", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL -Bypass UAC Event Viewer", + "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", + "risk_score": 50, + "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index c3b28e6dce849e..0850632c95899d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -1,17 +1,17 @@ { - "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", - "risk_score": 50, "description": "EQL - Bypass UAC via CMSTP", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Bypass UAC via CMSTP", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", + "risk_score": 50, + "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index d79c551ffb9cba..85ba24fd572c37 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -1,17 +1,17 @@ { - "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", - "risk_score": 50, "description": "EQL -Bypass UAC Via sdclt", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL -Bypass UAC Via sdclt", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", + "risk_score": 50, + "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index d7eb663297a637..28f45b94049e78 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,17 +1,17 @@ { - "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "risk_score": 50, "description": "EQL - Clearing Windows Event Logs", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Clearing Windows Event Logs", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", + "risk_score": 50, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 2155c2fa12913a..6f00427656af6f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,17 +1,17 @@ { - "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "risk_score": 50, "description": "EQL - Delete Volume USN Journal with fsutil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Delete Volume USN Journal with fsutil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", + "risk_score": 50, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 4bf7ae5ee1a5a2..8f5b21b74ee6a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,17 +1,17 @@ { - "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "risk_score": 50, "description": "EQL - Deleting Backup Catalogs with wbadmin", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Deleting Backup Catalogs with wbadmin", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", + "risk_score": 50, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 8a7733d069154f..56f0b2efec620c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,17 +1,17 @@ { - "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "risk_score": 50, "description": "EQL - Direct Outbound SMB Connection", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Direct Outbound SMB Connection", + "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", + "risk_score": 50, + "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 2ed22ed4e59a05..4d1e32eb298978 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,17 +1,17 @@ { - "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "risk_score": 50, "description": "EQL - Disable Windows Firewall Rules with Netsh", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Disable Windows Firewall Rules with Netsh", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", + "risk_score": 50, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index e59286339290af..b9bf463a8e5f22 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -1,17 +1,17 @@ { - "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", - "risk_score": 50, "description": "EQL - DLL Search Order Hijack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - DLL Search Order Hijack", + "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", + "risk_score": 50, + "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 2ad0a53b6c9b4d..6b4ffd9cb21e3b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,17 +1,17 @@ { - "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "risk_score": 50, "description": "EQL - Encoding or Decoding Files via CertUtil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Encoding or Decoding Files via CertUtil", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", + "risk_score": 50, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index bb005643031bd1..f09983d26aff50 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,17 +1,17 @@ { - "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", - "risk_score": 50, "description": "EQL - Local Scheduled Task Commands", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Local Scheduled Task Commands", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", + "risk_score": 50, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 1254d0971f1084..d33a3dbe6de814 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,17 +1,17 @@ { - "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "risk_score": 50, "description": "EQL - Local Service Commands", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Local Service Commands", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", + "risk_score": 50, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index 62b07f1f4ed378..39dc2547520737 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -1,17 +1,17 @@ { - "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", - "risk_score": 50, "description": "EQL - Modification of Boot Configuration", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Modification of Boot Configuration", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", + "risk_score": 50, + "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index a3c0a8c0960efe..dd8fab2d8ad706 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,17 +1,17 @@ { - "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", - "risk_score": 50, "description": "EQL - MsBuild Making Network Connections", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - MsBuild Making Network Connections", + "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", + "risk_score": 50, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 2d5e73c50a73c7..8037cc9bcba7f0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,17 +1,17 @@ { - "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", - "risk_score": 50, "description": "EQL - Mshta Making Network Connections", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Mshta Making Network Connections", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", + "risk_score": 50, + "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\" and not parent.process.name:\"Microsoft.ConfigurationManagement.exe\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index 04c88def26d61d..5dd6d5d3042c6d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -1,17 +1,17 @@ { - "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", - "risk_score": 50, "description": "EQL - MsXsl Making Network Connections", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - MsXsl Making Network Connections", + "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:msxml.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index fe87c83c0403c4..d83f7796cd4d1a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,17 +1,17 @@ { - "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", - "risk_score": 50, "description": "EQL - PsExec Lateral Movement Command", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - PsExec Lateral Movement Command", + "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", + "risk_score": 50, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 41deb57145abcd..5746541dd879cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,17 +1,17 @@ { - "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "risk_score": 50, "description": "EQL - Suspicious MS Office Child Process", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Suspicious MS Office Child Process", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "risk_score": 50, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index bbcc987c3b6aec..88ce75eeef34e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,17 +1,17 @@ { - "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "risk_score": 50, "description": "EQL - Suspicious MS Outlook Child Process", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Suspicious MS Outlook Child Process", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "risk_score": 50, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 488dc04a3b02e5..2e3a654127b53e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -1,17 +1,17 @@ { - "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", - "risk_score": 50, "description": "EQL - Suspicious PDF Reader Child Process", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Suspicious PDF Reader Child Process", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "risk_score": 50, + "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 810aa79ce25af1..20080719f3ed3b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,17 +1,17 @@ { - "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "risk_score": 50, "description": "EQL - System Shells via Services", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - System Shells via Services", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", + "risk_score": 50, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 6918d996256c03..79f8f8e1f606c8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,17 +1,17 @@ { - "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", - "risk_score": 50, "description": "EQL - Unusual Network Connection via RunDLL32", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Unusual Network Connection via RunDLL32", + "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 007487ec91eed1..28cce6ed89f8b0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,17 +1,17 @@ { - "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "risk_score": 50, "description": "EQL - Unusual Parent-Child Relationship ", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Unusual Parent-Child Relationship ", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", + "risk_score": 50, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 7aabc9ed604161..8b84ec4ff34f48 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,17 +1,17 @@ { - "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", - "risk_score": 50, "description": "EQL - Unusual Process Network Connection", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Unusual Process Network Connection", + "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", + "risk_score": 50, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index cbe1b7fb7af4f9..3af9d9c4277511 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,17 +1,17 @@ { - "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "risk_score": 50, "description": "EQL - User Account Creation", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - User Account Creation", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", + "risk_score": 50, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index ed8fa5276ef343..226f2dd1e39342 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -1,17 +1,17 @@ { - "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", - "risk_score": 50, "description": "EQL - User Added to Administrator Group", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - User Added to Administrator Group", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", + "risk_score": 50, + "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 186c688d21d8fc..2b27bce457aff8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,17 +1,17 @@ { - "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "risk_score": 50, "description": "EQL - Volume Shadow Copy Deletion via VssAdmin", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Volume Shadow Copy Deletion via VssAdmin", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", + "risk_score": 50, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index 9f75cb3ab26a86..4ec4530cc967f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,17 +1,17 @@ { - "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "risk_score": 50, "description": "EQL - Volume Shadow Copy Deletion via WMIC", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Volume Shadow Copy Deletion via WMIC", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", + "risk_score": 50, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 034651d94d0ea8..da96eb39e4d96a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,17 +1,17 @@ { - "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "risk_score": 50, "description": "EQL - Windows Script Executing PowerShell", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - Windows Script Executing PowerShell", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", + "risk_score": 50, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index eb1f3f4dca08e5..3f1c22e2a55d99 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -1,17 +1,17 @@ { - "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", - "risk_score": 50, "description": "EQL - WMIC Command Lateral Movement", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "EQL - WMIC Command Lateral Movement", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", + "risk_score": 50, + "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 49b3c5d6802b48..8a353e4b2b3016 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -4,287 +4,348 @@ * you may not use this file except in compliance with the Elastic License. */ -// Auto generated file from scripts/convert_saved_search_rules.js -// Do not hand edit. Run the script against a set of saved searches instead +// Auto generated file from scripts/regen_prepackage_rules_index.sh +// Do not hand edit. Run that script to regenerate package information instead -import rule1 from './eql_bypass_uac_via_sdclt.json'; -import rule2 from './eql_clearing_windows_event_logs.json'; -import rule3 from './eql_suspicious_ms_office_child_process.json'; -import rule4 from './eql_bypass_uac_event_viewer.json'; -import rule5 from './eql_volume_shadow_copy_deletion_via_wmic.json'; -import rule6 from './eql_adobe_hijack_persistence.json'; -import rule7 from './eql_unusual_network_connection_via_rundll32.json'; -import rule8 from './eql_delete_volume_usn_journal_with_fsutil.json'; -import rule9 from './eql_mshta_making_network_connections.json'; -import rule10 from './eql_unusual_process_network_connection.json'; -import rule11 from './eql_suspicious_ms_outlook_child_process.json'; -import rule12 from './eql_audio_capture_via_soundrecorder.json'; -import rule13 from './eql_direct_outbound_smb_connection.json'; -import rule14 from './eql_windows_script_executing_powershell.json'; -import rule15 from './eql_deleting_backup_catalogs_with_wbadmin.json'; -import rule16 from './eql_suspicious_pdf_reader_child_process.json'; -import rule17 from './eql_local_service_commands.json'; -import rule18 from './eql_dll_search_order_hijack.json'; -import rule19 from './eql_bypass_uac_via_cmstp.json'; -import rule20 from './eql_user_account_creation.json'; -import rule21 from './eql_wmic_command_lateral_movement.json'; -import rule22 from './eql_system_shells_via_services.json'; -import rule23 from './eql_msxsl_making_network_connections.json'; -import rule24 from './eql_local_scheduled_task_commands.json'; -import rule25 from './eql_msbuild_making_network_connections.json'; -import rule26 from './eql_encoding_or_decoding_files_via_certutil.json'; -import rule27 from './eql_disable_windows_firewall_rules_with_netsh.json'; -import rule28 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule29 from './eql_psexec_lateral_movement_command.json'; -import rule30 from './eql_user_added_to_administrator_group.json'; -import rule31 from './eql_audio_capture_via_powershell.json'; -import rule32 from './eql_unusual_parentchild_relationship.json'; -import rule33 from './eql_modification_of_boot_configuration.json'; -import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule35 from './zeek_notice_signaturesmultiple_sig_responders.json'; -import rule36 from './zeek_notice_packetfiltercompile_failure.json'; -import rule37 from './zeek_notice_signaturescount_signature.json'; -import rule38 from './zeek_notice_signaturesmultiple_signatures.json'; -import rule39 from './zeek_notice_signaturessignature_summary.json'; -import rule40 from './zeek_notice_signaturessensitive_signature.json'; -import rule41 from './zeek_notice_packetfilterinstall_failure.json'; -import rule42 from './zeek_notice_weirdactivity.json'; -import rule43 from './zeek_notice_noticetally.json'; -import rule44 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; -import rule45 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; -import rule46 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; -import rule47 from './zeek_notice_softwaresoftware_version_change.json'; -import rule48 from './zeek_notice_protocoldetectorserver_found.json'; -import rule49 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; -import rule50 from './zeek_notice_protocoldetectorprotocol_found.json'; -import rule51 from './zeek_notice_intelnotice.json'; -import rule52 from './zeek_notice_packetfilterdropped_packets.json'; -import rule53 from './zeek_notice_scanaddress_scan.json'; -import rule54 from './zeek_notice_ftpbruteforcing.json'; -import rule55 from './zeek_notice_scanport_scan.json'; -import rule56 from './zeek_notice_dnsexternal_name.json'; -import rule57 from './zeek_notice_capturelosstoo_much_loss.json'; -import rule58 from './zeek_notice_softwarevulnerable_version.json'; -import rule59 from './zeek_notice_connretransmission_inconsistency.json'; -import rule60 from './zeek_notice_traceroutedetected.json'; -import rule61 from './zeek_notice_conncontent_gap.json'; -import rule62 from './zeek_notice_smtpblocklist_blocked_host.json'; -import rule63 from './zeek_notice_httpsql_injection_victim.json'; -import rule64 from './zeek_notice_sshlogin_by_password_guesser.json'; -import rule65 from './zeek_notice_sshpassword_guessing.json'; -import rule66 from './zeek_notice_sshwatched_country_login.json'; -import rule67 from './zeek_notice_ftpsite_exec_success.json'; -import rule68 from './zeek_notice_smtpsuspicious_origination.json'; -import rule69 from './zeek_notice_httpsql_injection_attacker.json'; -import rule70 from './zeek_notice_smtpblocklist_error_message.json'; -import rule71 from './zeek_notice_sshinteresting_hostname_login.json'; -import rule72 from './zeek_notice_sslinvalid_server_cert.json'; -import rule73 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; -import rule74 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; -import rule75 from './zeek_notice_sslcertificate_expired.json'; -import rule76 from './zeek_notice_sslcertificate_expires_soon.json'; -import rule77 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; -import rule78 from './zeek_notice_sslcertificate_not_valid_yet.json'; -import rule79 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; -import rule80 from './zeek_notice_sslinvalid_ocsp_response.json'; -import rule81 from './zeek_notice_sslweak_key.json'; -import rule82 from './zeek_notice_sslold_version.json'; -import rule83 from './zeek_notice_sslweak_cipher.json'; -import rule84 from './suricata_category_large_scale_information_leak.json'; -import rule85 from './suricata_category_attempted_information_leak.json'; -import rule86 from './suricata_category_not_suspicious_traffic.json'; -import rule87 from './suricata_category_potentially_bad_traffic.json'; -import rule88 from './suricata_category_information_leak.json'; -import rule89 from './suricata_category_unknown_traffic.json'; -import rule90 from './suricata_category_successful_administrator_privilege_gain.json'; -import rule91 from './suricata_category_attempted_administrator_privilege_gain.json'; -import rule92 from './suricata_category_unsuccessful_user_privilege_gain.json'; -import rule93 from './suricata_category_successful_user_privilege_gain.json'; -import rule94 from './suricata_category_attempted_user_privilege_gain.json'; -import rule95 from './suricata_category_attempted_denial_of_service.json'; -import rule96 from './suricata_category_decode_of_an_rpc_query.json'; -import rule97 from './suricata_category_denial_of_service.json'; -import rule98 from './suricata_category_attempted_login_with_suspicious_username.json'; -import rule99 from './suricata_category_client_using_unusual_port.json'; -import rule100 from './suricata_category_suspicious_filename_detected.json'; -import rule101 from './suricata_category_a_suspicious_string_was_detected.json'; -import rule102 from './suricata_category_tcp_connection_detected.json'; -import rule103 from './suricata_category_executable_code_was_detected.json'; -import rule104 from './suricata_category_network_trojan_detected.json'; -import rule105 from './suricata_category_system_call_detected.json'; -import rule106 from './suricata_category_potentially_vulnerable_web_application_access.json'; -import rule107 from './suricata_category_nonstandard_protocol_or_event.json'; -import rule108 from './suricata_category_denial_of_service_attack.json'; -import rule109 from './suricata_category_generic_protocol_command_decode.json'; -import rule110 from './suricata_category_network_scan_detected.json'; -import rule111 from './suricata_category_web_application_attack.json'; -import rule112 from './suricata_category_generic_icmp_event.json'; -import rule113 from './suricata_category_misc_attack.json'; -import rule114 from './suricata_category_default_username_and_password_login_attempt.json'; -import rule115 from './suricata_category_external_ip_address_retrieval.json'; -import rule116 from './suricata_category_potential_corporate_privacy_violation.json'; -import rule117 from './suricata_category_targeted_malicious_activity.json'; -import rule118 from './suricata_category_observed_c2_domain.json'; -import rule119 from './suricata_category_exploit_kit_activity.json'; -import rule120 from './suricata_category_possibly_unwanted_program.json'; -import rule121 from './suricata_category_successful_credential_theft.json'; -import rule122 from './suricata_category_possible_social_engineering_attempted.json'; -import rule123 from './suricata_category_crypto_currency_mining_activity.json'; -import rule124 from './suricata_category_malware_command_and_control_activity.json'; -import rule125 from './suricata_category_misc_activity.json'; -import rule126 from './windows_powershell_connecting_to_the_internet.json'; -import rule127 from './windows_net_user_command_activity.json'; -import rule128 from './windows_image_load_from_a_temp_directory.json'; -import rule129 from './network_ssh_secure_shell_to_the_internet.json'; -import rule130 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; -import rule131 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule132 from './linux_strace_activity.json'; -import rule133 from './suricata_directory_reversal_characters_in_an_http_request.json'; -import rule134 from './suricata_dns_traffic_on_unusual_udp_port.json'; -import rule135 from './network_telnet_port_activity.json'; -import rule136 from './suricata_directory_traversal_in_downloaded_zip_file.json'; -import rule137 from './windows_execution_via_microsoft_html_application_hta.json'; -import rule138 from './windows_credential_dumping_commands.json'; -import rule139 from './windows_net_command_activity_by_the_system_account.json'; -import rule140 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule141 from './linux_java_process_connecting_to_the_internet.json'; -import rule142 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; -import rule143 from './suricata_double_encoded_characters_in_a_uri.json'; -import rule144 from './network_tor_activity_to_the_internet.json'; -import rule145 from './windows_registry_query_local.json'; -import rule146 from './linux_netcat_network_connection.json'; -import rule147 from './windows_defense_evasion_via_filter_manager.json'; -import rule148 from './suricata_nondns_traffic_on_udp_port_53.json'; -import rule149 from './suricata_double_encoded_characters_in_an_http_post.json'; -import rule150 from './command_shell_started_by_internet_explorer.json'; -import rule151 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule152 from './windows_nmap_activity.json'; -import rule153 from './suspicious_process_started_by_a_script.json'; -import rule154 from './windows_network_anomalous_windows_process_using_https_ports.json'; -import rule155 from './powershell_network_connection.json'; -import rule156 from './windows_signed_binary_proxy_execution.json'; -import rule157 from './linux_kernel_module_activity.json'; -import rule158 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule159 from './suricata_mimikatz_string_detected_in_http_response.json'; -import rule160 from './command_shell_started_by_svchost.json'; -import rule161 from './linux_tcpdump_activity.json'; -import rule162 from './process_started_by_ms_office_program_possible_payload.json'; -import rule163 from './windows_signed_binary_proxy_execution_download.json'; -import rule164 from './suricata_base64_encoded_startprocess_powershell_execution.json'; -import rule165 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; -import rule166 from './suricata_directory_traversal_characters_in_http_response.json'; -import rule167 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; -import rule168 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; -import rule169 from './process_started_by_acrobat_reader_possible_payload.json'; -import rule170 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; -import rule171 from './windows_persistence_via_modification_of_existing_service.json'; -import rule172 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; -import rule173 from './windows_execution_via_compiled_html_file.json'; -import rule174 from './linux_ptrace_activity.json'; -import rule175 from './suricata_nonimap_traffic_on_port_1443_imap.json'; -import rule176 from './windows_scheduled_task_activity.json'; -import rule177 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; -import rule178 from './windows_wireshark_activity.json'; -import rule179 from './windows_execution_via_trusted_developer_utilities.json'; -import rule180 from './suricata_rpc_traffic_on_http_ports.json'; -import rule181 from './windows_process_discovery_via_tasklist_command.json'; -import rule182 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; -import rule183 from './suricata_serialized_php_detected.json'; -import rule184 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule185 from './windows_registry_query_network.json'; -import rule186 from './windows_persistence_via_application_shimming.json'; -import rule187 from './network_proxy_port_activity_to_the_internet.json'; -import rule188 from './windows_whoami_command_activity.json'; -import rule189 from './suricata_shell_exec_php_function_in_an_http_post.json'; -import rule190 from './windump_activity.json'; -import rule191 from './windows_management_instrumentation_wmi_execution.json'; -import rule192 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule193 from './windows_priv_escalation_via_accessibility_features.json'; -import rule194 from './psexec_activity.json'; -import rule195 from './linux_rawshark_activity.json'; -import rule196 from './suricata_nonftp_traffic_on_port_21.json'; -import rule197 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule198 from './windows_certutil_connecting_to_the_internet.json'; -import rule199 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; -import rule200 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule201 from './linux_whoami_commmand.json'; -import rule202 from './windows_persistence_or_priv_escalation_via_hooking.json'; -import rule203 from './linux_lzop_activity_possible_julianrunnels.json'; -import rule204 from './suricata_nontls_on_tls_port.json'; -import rule205 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule206 from './linux_network_anomalous_process_using_https_ports.json'; -import rule207 from './windows_credential_dumping_via_registry_save.json'; -import rule208 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule209 from './windows_credential_dumping_via_imageload.json'; -import rule210 from './windows_burp_ce_activity.json'; -import rule211 from './linux_hping_activity.json'; -import rule212 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule213 from './network_nat_traversal_port_activity.json'; -import rule214 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule215 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; -import rule216 from './windows_remote_management_execution.json'; -import rule217 from './suricata_lazagne_artifact_in_an_http_post.json'; -import rule218 from './windows_netcat_network_activity.json'; -import rule219 from './windows_iodine_activity.json'; -import rule220 from './network_port_26_activity.json'; -import rule221 from './windows_execution_via_connection_manager.json'; -import rule222 from './linux_process_started_in_temp_directory.json'; -import rule223 from './suricata_eval_php_function_in_an_http_request.json'; -import rule224 from './linux_web_download.json'; -import rule225 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; -import rule226 from './network_port_8000_activity.json'; -import rule227 from './windows_process_started_by_the_java_runtime.json'; -import rule228 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; -import rule229 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule230 from './network_port_8000_activity_to_the_internet.json'; -import rule231 from './command_shell_started_by_powershell.json'; -import rule232 from './linux_nmap_activity.json'; -import rule233 from './search_windows_10.json'; -import rule234 from './network_smtp_to_the_internet.json'; -import rule235 from './windows_payload_obfuscation_via_certutil.json'; -import rule236 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule237 from './linux_unusual_shell_activity.json'; -import rule238 from './linux_mknod_activity.json'; -import rule239 from './network_sql_server_port_activity_to_the_internet.json'; -import rule240 from './suricata_commonly_abused_dns_domain_detected.json'; -import rule241 from './linux_iodine_activity.json'; -import rule242 from './suricata_mimikatz_artifacts_in_an_http_post.json'; -import rule243 from './windows_execution_via_net_com_assemblies.json'; -import rule244 from './suricata_dns_traffic_on_unusual_tcp_port.json'; -import rule245 from './suricata_base64_encoded_newobject_powershell_execution.json'; -import rule246 from './windows_netcat_activity.json'; -import rule247 from './windows_persistence_via_bits_jobs.json'; -import rule248 from './linux_nping_activity.json'; -import rule249 from './windows_execution_via_regsvr32.json'; -import rule250 from './process_started_by_windows_defender.json'; +import rule1 from './403_response_to_a_post.json'; +import rule2 from './405_response_method_not_allowed.json'; +import rule3 from './500_response_on_admin_page.json'; +import rule4 from './command_shell_started_by_internet_explorer.json'; +import rule5 from './command_shell_started_by_powershell.json'; +import rule6 from './command_shell_started_by_svchost.json'; +import rule7 from './ece_network_detect_large_outbound_icmp_packets.json'; +import rule8 from './ece_network_detect_long_dns_txt_record_response.json'; +import rule9 from './ece_network_protocols_passing_authentication_in_cleartext.json'; +import rule10 from './ece_windows_child_processes_of_spoolsvexe.json'; +import rule11 from './ece_windows_detect_new_local_admin_account.json'; +import rule12 from './ece_windows_detect_psexec_with_accepteula_flag.json'; +import rule13 from './ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json'; +import rule14 from './ece_windows_new_external_device.json'; +import rule15 from './ece_windows_processes_created_by_netsh.json'; +import rule16 from './ece_windows_processes_launching_netsh.json'; +import rule17 from './ece_windows_windows_event_log_cleared.json'; +import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule19 from './eql_adobe_hijack_persistence.json'; +import rule20 from './eql_audio_capture_via_powershell.json'; +import rule21 from './eql_audio_capture_via_soundrecorder.json'; +import rule22 from './eql_bypass_uac_event_viewer.json'; +import rule23 from './eql_bypass_uac_via_cmstp.json'; +import rule24 from './eql_bypass_uac_via_sdclt.json'; +import rule25 from './eql_clearing_windows_event_logs.json'; +import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json'; +import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json'; +import rule28 from './eql_direct_outbound_smb_connection.json'; +import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json'; +import rule30 from './eql_dll_search_order_hijack.json'; +import rule31 from './eql_encoding_or_decoding_files_via_certutil.json'; +import rule32 from './eql_local_scheduled_task_commands.json'; +import rule33 from './eql_local_service_commands.json'; +import rule34 from './eql_modification_of_boot_configuration.json'; +import rule35 from './eql_msbuild_making_network_connections.json'; +import rule36 from './eql_mshta_making_network_connections.json'; +import rule37 from './eql_msxsl_making_network_connections.json'; +import rule38 from './eql_psexec_lateral_movement_command.json'; +import rule39 from './eql_suspicious_ms_office_child_process.json'; +import rule40 from './eql_suspicious_ms_outlook_child_process.json'; +import rule41 from './eql_suspicious_pdf_reader_child_process.json'; +import rule42 from './eql_system_shells_via_services.json'; +import rule43 from './eql_unusual_network_connection_via_rundll32.json'; +import rule44 from './eql_unusual_parentchild_relationship.json'; +import rule45 from './eql_unusual_process_network_connection.json'; +import rule46 from './eql_user_account_creation.json'; +import rule47 from './eql_user_added_to_administrator_group.json'; +import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json'; +import rule50 from './eql_windows_script_executing_powershell.json'; +import rule51 from './eql_wmic_command_lateral_movement.json'; +import rule52 from './linux_hping_activity.json'; +import rule53 from './linux_iodine_activity.json'; +import rule54 from './linux_java_process_connecting_to_the_internet.json'; +import rule55 from './linux_kernel_module_activity.json'; +import rule56 from './linux_ldso_process_activity.json'; +import rule57 from './linux_lzop_activity.json'; +import rule58 from './linux_lzop_activity_possible_julianrunnels.json'; +import rule59 from './linux_mknod_activity.json'; +import rule60 from './linux_netcat_network_connection.json'; +import rule61 from './linux_network_anomalous_process_using_https_ports.json'; +import rule62 from './linux_nmap_activity.json'; +import rule63 from './linux_nping_activity.json'; +import rule64 from './linux_process_started_in_temp_directory.json'; +import rule65 from './linux_ptrace_activity.json'; +import rule66 from './linux_rawshark_activity.json'; +import rule67 from './linux_shell_activity_by_web_server.json'; +import rule68 from './linux_socat_activity.json'; +import rule69 from './linux_ssh_forwarding.json'; +import rule70 from './linux_strace_activity.json'; +import rule71 from './linux_tcpdump_activity.json'; +import rule72 from './linux_unusual_shell_activity.json'; +import rule73 from './linux_web_download.json'; +import rule74 from './linux_whoami_commmand.json'; +import rule75 from './network_dns_directly_to_the_internet.json'; +import rule76 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule77 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule78 from './network_nat_traversal_port_activity.json'; +import rule79 from './network_port_26_activity.json'; +import rule80 from './network_port_8000_activity.json'; +import rule81 from './network_port_8000_activity_to_the_internet.json'; +import rule82 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule83 from './network_proxy_port_activity_to_the_internet.json'; +import rule84 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule85 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule86 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule87 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule88 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule89 from './network_smtp_to_the_internet.json'; +import rule90 from './network_sql_server_port_activity_to_the_internet.json'; +import rule91 from './network_ssh_secure_shell_from_the_internet.json'; +import rule92 from './network_ssh_secure_shell_to_the_internet.json'; +import rule93 from './network_telnet_port_activity.json'; +import rule94 from './network_tor_activity_to_the_internet.json'; +import rule95 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule96 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule97 from './null_user_agent.json'; +import rule98 from './powershell_network_connection.json'; +import rule99 from './process_execution_via_wmi.json'; +import rule100 from './process_started_by_acrobat_reader_possible_payload.json'; +import rule101 from './process_started_by_ms_office_program_possible_payload.json'; +import rule102 from './process_started_by_windows_defender.json'; +import rule103 from './psexec_activity.json'; +import rule104 from './search_windows_10.json'; +import rule105 from './splunk_child_processes_of_spoolsvexe.json'; +import rule106 from './splunk_detect_large_outbound_icmp_packets.json'; +import rule107 from './splunk_detect_long_dns_txt_record_response.json'; +import rule108 from './splunk_detect_new_local_admin_account.json'; +import rule109 from './splunk_detect_psexec_with_accepteula_flag.json'; +import rule110 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json'; +import rule111 from './splunk_processes_created_by_netsh.json'; +import rule112 from './splunk_processes_launching_netsh.json'; +import rule113 from './splunk_protocols_passing_authentication_in_cleartext.json'; +import rule114 from './splunk_windows_event_log_cleared.json'; +import rule115 from './sqlmap_user_agent.json'; +import rule116 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; +import rule117 from './suricata_base64_encoded_newobject_powershell_execution.json'; +import rule118 from './suricata_base64_encoded_startprocess_powershell_execution.json'; +import rule119 from './suricata_category_a_suspicious_string_was_detected.json'; +import rule120 from './suricata_category_attempted_administrator_privilege_gain.json'; +import rule121 from './suricata_category_attempted_denial_of_service.json'; +import rule122 from './suricata_category_attempted_information_leak.json'; +import rule123 from './suricata_category_attempted_login_with_suspicious_username.json'; +import rule124 from './suricata_category_attempted_user_privilege_gain.json'; +import rule125 from './suricata_category_client_using_unusual_port.json'; +import rule126 from './suricata_category_crypto_currency_mining_activity.json'; +import rule127 from './suricata_category_decode_of_an_rpc_query.json'; +import rule128 from './suricata_category_default_username_and_password_login_attempt.json'; +import rule129 from './suricata_category_denial_of_service.json'; +import rule130 from './suricata_category_denial_of_service_attack.json'; +import rule131 from './suricata_category_executable_code_was_detected.json'; +import rule132 from './suricata_category_exploit_kit_activity.json'; +import rule133 from './suricata_category_external_ip_address_retrieval.json'; +import rule134 from './suricata_category_generic_icmp_event.json'; +import rule135 from './suricata_category_generic_protocol_command_decode.json'; +import rule136 from './suricata_category_information_leak.json'; +import rule137 from './suricata_category_large_scale_information_leak.json'; +import rule138 from './suricata_category_malware_command_and_control_activity.json'; +import rule139 from './suricata_category_misc_activity.json'; +import rule140 from './suricata_category_misc_attack.json'; +import rule141 from './suricata_category_network_scan_detected.json'; +import rule142 from './suricata_category_network_trojan_detected.json'; +import rule143 from './suricata_category_nonstandard_protocol_or_event.json'; +import rule144 from './suricata_category_not_suspicious_traffic.json'; +import rule145 from './suricata_category_observed_c2_domain.json'; +import rule146 from './suricata_category_possible_social_engineering_attempted.json'; +import rule147 from './suricata_category_possibly_unwanted_program.json'; +import rule148 from './suricata_category_potential_corporate_privacy_violation.json'; +import rule149 from './suricata_category_potentially_bad_traffic.json'; +import rule150 from './suricata_category_potentially_vulnerable_web_application_access.json'; +import rule151 from './suricata_category_successful_administrator_privilege_gain.json'; +import rule152 from './suricata_category_successful_credential_theft.json'; +import rule153 from './suricata_category_successful_user_privilege_gain.json'; +import rule154 from './suricata_category_suspicious_filename_detected.json'; +import rule155 from './suricata_category_system_call_detected.json'; +import rule156 from './suricata_category_targeted_malicious_activity.json'; +import rule157 from './suricata_category_tcp_connection_detected.json'; +import rule158 from './suricata_category_unknown_traffic.json'; +import rule159 from './suricata_category_unsuccessful_user_privilege_gain.json'; +import rule160 from './suricata_category_web_application_attack.json'; +import rule161 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; +import rule162 from './suricata_commonly_abused_dns_domain_detected.json'; +import rule163 from './suricata_directory_reversal_characters_in_an_http_request.json'; +import rule164 from './suricata_directory_traversal_characters_in_an_http_request.json'; +import rule165 from './suricata_directory_traversal_characters_in_http_response.json'; +import rule166 from './suricata_directory_traversal_in_downloaded_zip_file.json'; +import rule167 from './suricata_dns_traffic_on_unusual_tcp_port.json'; +import rule168 from './suricata_dns_traffic_on_unusual_udp_port.json'; +import rule169 from './suricata_double_encoded_characters_in_a_uri.json'; +import rule170 from './suricata_double_encoded_characters_in_an_http_post.json'; +import rule171 from './suricata_double_encoded_characters_in_http_request.json'; +import rule172 from './suricata_eval_php_function_in_an_http_request.json'; +import rule173 from './suricata_exploit_cve_2018_1000861.json'; +import rule174 from './suricata_exploit_cve_2019_0227.json'; +import rule175 from './suricata_exploit_cve_2019_0232.json'; +import rule176 from './suricata_exploit_cve_2019_0604.json'; +import rule177 from './suricata_exploit_cve_2019_0708.json'; +import rule178 from './suricata_exploit_cve_2019_0752.json'; +import rule179 from './suricata_exploit_cve_2019_1003000.json'; +import rule180 from './suricata_exploit_cve_2019_10149.json'; +import rule181 from './suricata_exploit_cve_2019_11043.json'; +import rule182 from './suricata_exploit_cve_2019_11510.json'; +import rule183 from './suricata_exploit_cve_2019_11580.json'; +import rule184 from './suricata_exploit_cve_2019_11581.json'; +import rule185 from './suricata_exploit_cve_2019_13450.json'; +import rule186 from './suricata_exploit_cve_2019_13505.json'; +import rule187 from './suricata_exploit_cve_2019_15107.json'; +import rule188 from './suricata_exploit_cve_2019_15846.json'; +import rule189 from './suricata_exploit_cve_2019_16072.json'; +import rule190 from './suricata_exploit_cve_2019_1652.json'; +import rule191 from './suricata_exploit_cve_2019_16662.json'; +import rule192 from './suricata_exploit_cve_2019_16759.json'; +import rule193 from './suricata_exploit_cve_2019_16928.json'; +import rule194 from './suricata_exploit_cve_2019_17270.json'; +import rule195 from './suricata_exploit_cve_2019_1821.json'; +import rule196 from './suricata_exploit_cve_2019_19781.json'; +import rule197 from './suricata_exploit_cve_2019_2618.json'; +import rule198 from './suricata_exploit_cve_2019_2725.json'; +import rule199 from './suricata_exploit_cve_2019_3396.json'; +import rule200 from './suricata_exploit_cve_2019_3929.json'; +import rule201 from './suricata_exploit_cve_2019_5533.json'; +import rule202 from './suricata_exploit_cve_2019_6340.json'; +import rule203 from './suricata_exploit_cve_2019_7256.json'; +import rule204 from './suricata_exploit_cve_2019_9978.json'; +import rule205 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; +import rule206 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; +import rule207 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; +import rule208 from './suricata_lazagne_artifact_in_an_http_post.json'; +import rule209 from './suricata_mimikatz_artifacts_in_an_http_post.json'; +import rule210 from './suricata_mimikatz_string_detected_in_http_response.json'; +import rule211 from './suricata_nondns_traffic_on_tcp_port_53.json'; +import rule212 from './suricata_nondns_traffic_on_udp_port_53.json'; +import rule213 from './suricata_nonftp_traffic_on_port_21.json'; +import rule214 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; +import rule215 from './suricata_nonimap_traffic_on_port_1443_imap.json'; +import rule216 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; +import rule217 from './suricata_nonssh_traffic_on_port_22.json'; +import rule218 from './suricata_nontls_on_tls_port.json'; +import rule219 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; +import rule220 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; +import rule221 from './suricata_rpc_traffic_on_http_ports.json'; +import rule222 from './suricata_serialized_php_detected.json'; +import rule223 from './suricata_shell_exec_php_function_in_an_http_post.json'; +import rule224 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; +import rule225 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; +import rule226 from './suricata_windows_executable_served_by_jpeg_web_content.json'; +import rule227 from './suspicious_process_started_by_a_script.json'; +import rule228 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule229 from './windows_burp_ce_activity.json'; +import rule230 from './windows_certutil_connecting_to_the_internet.json'; +import rule231 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule232 from './windows_command_shell_started_by_internet_explorer.json'; +import rule233 from './windows_command_shell_started_by_powershell.json'; +import rule234 from './windows_command_shell_started_by_svchost.json'; +import rule235 from './windows_credential_dumping_commands.json'; +import rule236 from './windows_credential_dumping_via_imageload.json'; +import rule237 from './windows_credential_dumping_via_registry_save.json'; +import rule238 from './windows_data_compression_using_powershell.json'; +import rule239 from './windows_defense_evasion_decoding_using_certutil.json'; +import rule240 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; +import rule241 from './windows_defense_evasion_via_filter_manager.json'; +import rule242 from './windows_defense_evasion_via_windows_event_log_tools.json'; +import rule243 from './windows_execution_via_compiled_html_file.json'; +import rule244 from './windows_execution_via_connection_manager.json'; +import rule245 from './windows_execution_via_microsoft_html_application_hta.json'; +import rule246 from './windows_execution_via_net_com_assemblies.json'; +import rule247 from './windows_execution_via_regsvr32.json'; +import rule248 from './windows_execution_via_trusted_developer_utilities.json'; +import rule249 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule250 from './windows_image_load_from_a_temp_directory.json'; import rule251 from './windows_indirect_command_execution.json'; -import rule252 from './network_ssh_secure_shell_from_the_internet.json'; -import rule253 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule254 from './suricata_windows_executable_served_by_jpeg_web_content.json'; -import rule255 from './network_dns_directly_to_the_internet.json'; -import rule256 from './windows_defense_evasion_via_windows_event_log_tools.json'; -import rule257 from './suricata_nondns_traffic_on_tcp_port_53.json'; -import rule258 from './windows_persistence_via_netshell_helper_dll.json'; -import rule259 from './windows_script_interpreter_connecting_to_the_internet.json'; -import rule260 from './windows_defense_evasion_decoding_using_certutil.json'; -import rule261 from './linux_shell_activity_by_web_server.json'; -import rule262 from './linux_ldso_process_activity.json'; -import rule263 from './windows_mimikatz_activity.json'; -import rule264 from './suricata_nonssh_traffic_on_port_22.json'; -import rule265 from './windows_data_compression_using_powershell.json'; -import rule266 from './windows_nmap_scan_activity.json'; -import rule267 from './splunk_windows_event_log_cleared.json'; -import rule268 from './splunk_detect_long_dns_txt_record_response.json'; -import rule269 from './splunk_processes_launching_netsh.json'; -import rule270 from './splunk_detect_large_outbound_icmp_packets.json'; -import rule271 from './splunk_detect_new_local_admin_account.json'; -import rule272 from './splunk_protocols_passing_authentication_in_cleartext.json'; -import rule273 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json'; -import rule274 from './splunk_child_processes_of_spoolsvexe.json'; -import rule275 from './splunk_detect_psexec_with_accepteula_flag.json'; -import rule276 from './splunk_processes_created_by_netsh.json'; -import rule277 from './process_execution_via_wmi.json'; - +import rule252 from './windows_iodine_activity.json'; +import rule253 from './windows_management_instrumentation_wmi_execution.json'; +import rule254 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; +import rule255 from './windows_mimikatz_activity.json'; +import rule256 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule257 from './windows_net_command_activity_by_the_system_account.json'; +import rule258 from './windows_net_user_command_activity.json'; +import rule259 from './windows_netcat_activity.json'; +import rule260 from './windows_netcat_network_activity.json'; +import rule261 from './windows_network_anomalous_windows_process_using_https_ports.json'; +import rule262 from './windows_nmap_activity.json'; +import rule263 from './windows_nmap_scan_activity.json'; +import rule264 from './windows_payload_obfuscation_via_certutil.json'; +import rule265 from './windows_persistence_or_priv_escalation_via_hooking.json'; +import rule266 from './windows_persistence_via_application_shimming.json'; +import rule267 from './windows_persistence_via_bits_jobs.json'; +import rule268 from './windows_persistence_via_modification_of_existing_service.json'; +import rule269 from './windows_persistence_via_netshell_helper_dll.json'; +import rule270 from './windows_powershell_connecting_to_the_internet.json'; +import rule271 from './windows_priv_escalation_via_accessibility_features.json'; +import rule272 from './windows_process_discovery_via_tasklist_command.json'; +import rule273 from './windows_process_execution_via_wmi.json'; +import rule274 from './windows_process_started_by_acrobat_reader_possible_payload.json'; +import rule275 from './windows_process_started_by_ms_office_program_possible_payload.json'; +import rule276 from './windows_process_started_by_the_java_runtime.json'; +import rule277 from './windows_psexec_activity.json'; +import rule278 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule279 from './windows_registry_query_local.json'; +import rule280 from './windows_registry_query_network.json'; +import rule281 from './windows_remote_management_execution.json'; +import rule282 from './windows_scheduled_task_activity.json'; +import rule283 from './windows_script_interpreter_connecting_to_the_internet.json'; +import rule284 from './windows_signed_binary_proxy_execution.json'; +import rule285 from './windows_signed_binary_proxy_execution_download.json'; +import rule286 from './windows_suspicious_process_started_by_a_script.json'; +import rule287 from './windows_whoami_command_activity.json'; +import rule288 from './windows_windump_activity.json'; +import rule289 from './windows_wireshark_activity.json'; +import rule290 from './windump_activity.json'; +import rule291 from './zeek_notice_capturelosstoo_much_loss.json'; +import rule292 from './zeek_notice_conncontent_gap.json'; +import rule293 from './zeek_notice_connretransmission_inconsistency.json'; +import rule294 from './zeek_notice_dnsexternal_name.json'; +import rule295 from './zeek_notice_ftpbruteforcing.json'; +import rule296 from './zeek_notice_ftpsite_exec_success.json'; +import rule297 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; +import rule298 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; +import rule299 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; +import rule300 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; +import rule301 from './zeek_notice_httpsql_injection_attacker.json'; +import rule302 from './zeek_notice_httpsql_injection_victim.json'; +import rule303 from './zeek_notice_intelnotice.json'; +import rule304 from './zeek_notice_noticetally.json'; +import rule305 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; +import rule306 from './zeek_notice_packetfiltercompile_failure.json'; +import rule307 from './zeek_notice_packetfilterdropped_packets.json'; +import rule308 from './zeek_notice_packetfilterinstall_failure.json'; +import rule309 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; +import rule310 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; +import rule311 from './zeek_notice_protocoldetectorprotocol_found.json'; +import rule312 from './zeek_notice_protocoldetectorserver_found.json'; +import rule313 from './zeek_notice_scanaddress_scan.json'; +import rule314 from './zeek_notice_scanport_scan.json'; +import rule315 from './zeek_notice_signaturescount_signature.json'; +import rule316 from './zeek_notice_signaturesmultiple_sig_responders.json'; +import rule317 from './zeek_notice_signaturesmultiple_signatures.json'; +import rule318 from './zeek_notice_signaturessensitive_signature.json'; +import rule319 from './zeek_notice_signaturessignature_summary.json'; +import rule320 from './zeek_notice_smtpblocklist_blocked_host.json'; +import rule321 from './zeek_notice_smtpblocklist_error_message.json'; +import rule322 from './zeek_notice_smtpsuspicious_origination.json'; +import rule323 from './zeek_notice_softwaresoftware_version_change.json'; +import rule324 from './zeek_notice_softwarevulnerable_version.json'; +import rule325 from './zeek_notice_sshinteresting_hostname_login.json'; +import rule326 from './zeek_notice_sshlogin_by_password_guesser.json'; +import rule327 from './zeek_notice_sshpassword_guessing.json'; +import rule328 from './zeek_notice_sshwatched_country_login.json'; +import rule329 from './zeek_notice_sslcertificate_expired.json'; +import rule330 from './zeek_notice_sslcertificate_expires_soon.json'; +import rule331 from './zeek_notice_sslcertificate_not_valid_yet.json'; +import rule332 from './zeek_notice_sslinvalid_ocsp_response.json'; +import rule333 from './zeek_notice_sslinvalid_server_cert.json'; +import rule334 from './zeek_notice_sslold_version.json'; +import rule335 from './zeek_notice_sslweak_cipher.json'; +import rule336 from './zeek_notice_sslweak_key.json'; +import rule337 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; +import rule338 from './zeek_notice_traceroutedetected.json'; +import rule339 from './zeek_notice_weirdactivity.json'; export const rawRules = [ rule1, rule2, @@ -563,4 +624,66 @@ export const rawRules = [ rule275, rule276, rule277, + rule278, + rule279, + rule280, + rule281, + rule282, + rule283, + rule284, + rule285, + rule286, + rule287, + rule288, + rule289, + rule290, + rule291, + rule292, + rule293, + rule294, + rule295, + rule296, + rule297, + rule298, + rule299, + rule300, + rule301, + rule302, + rule303, + rule304, + rule305, + rule306, + rule307, + rule308, + rule309, + rule310, + rule311, + rule312, + rule313, + rule314, + rule315, + rule316, + rule317, + rule318, + rule319, + rule320, + rule321, + rule322, + rule323, + rule324, + rule325, + rule326, + rule327, + rule328, + rule329, + rule330, + rule331, + rule332, + rule333, + rule334, + rule335, + rule336, + rule337, + rule338, + rule339, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index 92308283717a54..b42e4130b688cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", - "risk_score": 50, "description": "Linux: Hping Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Hping Activity", + "query": "process.name: hping and event.action:executed", + "risk_score": 50, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: hping", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index ded4b72fcbfc48..1eb66c39571d75 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", - "risk_score": 50, "description": "Linux: Iodine Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Iodine Activity", + "query": "process.name: (iodine or iodined) and event.action:executed", + "risk_score": 50, + "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: (iodine or iodined)", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json index aba4954e3552a6..57f37e34ad4d5f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json @@ -1,29 +1,22 @@ { - "rule_id": "7f65b8c5-27ed-4cf6-a088-3a20d2f84bf5", - "risk_score": 50, "description": "Linux: Java Process Connecting to the Internet", - "immutable": true, - "interval": "5m", - "name": "Linux: Java Process Connecting to the Internet", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "not destination.ip: 10.0.0.0/8 and not 172.16.0.0/12", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "java", + "negate": false, "params": { "query": "java" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "java" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.action", - "value": "socket_opened", + "negate": false, "params": { "query": "socket_opened" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "socket_opened" }, "query": { "match": { @@ -57,23 +50,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "key": "destination.ip", - "value": "127.0.0.1", + "negate": true, "params": { "query": "127.0.0.1" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index" + "type": "phrase", + "value": "127.0.0.1" }, "query": { "match": { @@ -82,23 +75,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "key": "destination.ip", - "value": "::1", + "negate": true, "params": { "query": "::1" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index" + "type": "phrase", + "value": "::1" }, "query": { "match": { @@ -107,12 +100,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux: Java Process Connecting to the Internet", + "query": "not destination.ip: 10.0.0.0/8 and not 172.16.0.0/12", + "risk_score": 50, + "rule_id": "7f65b8c5-27ed-4cf6-a088-3a20d2f84bf5", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 4564d1afccf79c..90864f1ab8ab9f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", - "risk_score": 50, "description": "Linux: Kernel Module Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Kernel Module Activity", + "query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed", + "risk_score": 50, + "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: (insmod or kmod or modprobe or rmod)", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json index 2db76834061b96..174e246fa70d98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", - "risk_score": 50, "description": "Linux ld.so process activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux ld.so process activity", + "query": "process.name:ld.so and event.action:executed", + "risk_score": 50, + "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:ld.so", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json new file mode 100644 index 00000000000000..77953240c21859 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json @@ -0,0 +1,17 @@ +{ + "description": "Linux lzop activity - possible @JulianRunnels", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux lzop activity", + "query": "process.name:lzop and event.action:executed", + "risk_score": 50, + "rule_id": "d7359214-54a4-4572-9e51-ebf79cda9b04", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json index 5b3a978813b79f..62203b6c42a5a5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json @@ -1,17 +1,17 @@ { - "rule_id": "d89b05b1-9b2b-45ea-9876-4a74550af6a6", - "risk_score": 50, "description": "Linux lzop activity - possible @JulianRunnels", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux lzop activity - possible @JulianRunnels", + "query": "process.name:lzop", + "risk_score": 50, + "rule_id": "d89b05b1-9b2b-45ea-9876-4a74550af6a6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:lzop", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 04ddc409c1efe7..08940115207413 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", - "risk_score": 50, "description": "Linux: Mknod Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Mknod Activity", + "query": "process.name: mknod and event.action:executed", + "risk_score": 50, + "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: mknod", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index 1ba35bec8f5174..d324a4f64cbbad 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,93 +1,16 @@ { - "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", - "risk_score": 50, "description": "Linux: Netcat Network Connection", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", - "name": "Linux: Netcat Network Connection", + "language": "kuery", + "name": "Linux: Netcat Network Activity", + "query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)", + "risk_score": 50, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional)", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "socket_opened", - "params": { - "query": "socket_opened" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "socket_opened", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": true, - "type": "phrase", - "key": "destination.ip", - "value": "127.0.0.1", - "params": { - "query": "127.0.0.1" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "destination.ip": { - "query": "127.0.0.1", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": true, - "type": "phrase", - "key": "destination.ip", - "value": "::1", - "params": { - "query": "::1" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index" - }, - "query": { - "match": { - "destination.ip": { - "query": "::1", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json index d5bf37daab0f48..d04f6610f450d4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json @@ -1,17 +1,17 @@ { - "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", - "risk_score": 50, "description": "Linux Network - Anomalous Process Using HTTP/S Ports", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux Network - Anomalous Process Using HTTP/S Ports", + "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", + "risk_score": 50, + "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index 430d6b6984d6cd..cb89fdc6ebbff5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", - "risk_score": 50, "description": "Linux: Nmap Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Nmap Activity", + "query": "process.name: nmap", + "risk_score": 50, + "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: nmap", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index a87f42f1774bf0..b5508c388059cc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", - "risk_score": 50, "description": "Linux: Nping Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Nping Activity", + "query": "process.name: nping and event.action:executed", + "risk_score": 50, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: nmap", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 2a83ff8c5d2c66..d9d409feae4735 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,68 +1,16 @@ { - "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", - "risk_score": 50, "description": "Linux: Process Started in Temp Directory", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Process Started in Temp Directory", + "query": "process.working_directory: /tmp and event.action:executed", + "risk_score": 50, + "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.working_directory: /tmp", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json index 0ac4365ae8b7ea..47ae28cf8ea4c0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", - "risk_score": 50, "description": "Linux: Ptrace Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Ptrace Activity", + "query": "process.name: ptrace and event.action:executed", + "risk_score": 50, + "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: ptrace", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json index ff74ba8e51b87a..d4924cab7048fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", - "risk_score": 50, "description": "Linux: Rawshark Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Rawshark Activity", + "query": "process.name: rawshark and event.action:executed", + "risk_score": 50, + "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: rawshark", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index 7499f6bc17ac16..d533f5d4ec3f64 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,17 +1,17 @@ { - "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", - "risk_score": 50, "description": "Linux: Shell Activity By Web Server", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Shell Activity By Web Server", + "query": "process.name: bash and (user.name: apache or www) and event.action:executed", + "risk_score": 50, + "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: bash and (user.name: apache or www)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json new file mode 100644 index 00000000000000..2ea860e0619587 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -0,0 +1,16 @@ +{ + "description": "Linux: socat activity", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux: Whoami Commmand", + "query": "process.name:socat and not process.args:\"-V\" and event.action:executed", + "risk_score": 50, + "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json new file mode 100644 index 00000000000000..38562320921b4d --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -0,0 +1,19 @@ +{ + "description": "Detect ssh processes with the `-R` flag which can be used to forward a port on a local system to the local system so that someone on the remote system can connect to the local system. This is often used by attackers to create encrypted tunnels through firewalls for pivoting and persistence.", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux: SSH Port Forwarding", + "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", + "references": [ + " - https://www.ssh.com/ssh/tunneling,https://www.ssh.com/ssh/tunneling/example,https://attack.mitre.org/techniques/T1184/" + ], + "risk_score": 50, + "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 5c813fbb62eb7e..dc0eae38d20c65 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,68 +1,16 @@ { - "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", - "risk_score": 50, "description": "Linux: Strace Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Strace Activity", + "query": "process.name: strace and event.action:executed", + "risk_score": 50, + "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: strace", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 1df4ad8b469b91..f7b543fef75f5e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", - "risk_score": 50, "description": "Linux: Tcpdump Activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Tcpdump Activity", + "query": "process.name: tcpdump and event.action:executed", + "risk_score": 50, + "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: tcpdump", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json index efa84c22f928c8..a63b2ea7dc5221 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json @@ -1,29 +1,22 @@ { - "rule_id": "4cc78842-f8a9-4a20-b703-a596c4f24e4f", - "risk_score": 50, "description": "Linux unusual shell activity", - "immutable": true, - "interval": "5m", - "name": "Linux unusual shell activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.name:*sh", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "process.name", - "value": "bash", + "negate": true, "params": { "query": "bash" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "bash" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "process.executable", - "value": "/bin/dash", + "negate": true, "params": { "query": "/bin/dash" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "/bin/dash" }, "query": { "match": { @@ -57,23 +50,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "key": "process.name", - "value": "ReportCrash", + "negate": true, "params": { "query": "ReportCrash" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index" + "type": "phrase", + "value": "ReportCrash" }, "query": { "match": { @@ -82,12 +75,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Linux unusual shell activity", + "query": "process.name:*sh", + "risk_score": 50, + "rule_id": "4cc78842-f8a9-4a20-b703-a596c4f24e4f", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json index d9ee2ccc98f109..876a3fef7aa091 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json @@ -1,43 +1,16 @@ { - "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", - "risk_score": 50, "description": "Linux: Web Download", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Web Download", + "query": "process.name: (curl or wget) and event.action:executed", + "risk_score": 50, + "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: curl or wget", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "socket_opened", - "params": { - "query": "socket_opened" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "socket_opened", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 47c01778786c27..56a2782eb0cca0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,68 +1,16 @@ { - "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", - "risk_score": 50, "description": "Linux: Whoami Commmand", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Linux: Whoami Commmand", + "query": "process.name: whoami and event.action:executed", + "risk_score": 50, + "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name: whoami", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "process_started", - "params": { - "query": "process_started" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "process_started", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - }, - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.dataset", - "value": "process", - "params": { - "query": "process" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" - }, - "query": { - "match": { - "event.dataset": { - "query": "process", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 3dfbb508b897f8..1a3c3c003b532c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", - "risk_score": 50, "description": "Network - DNS Directly to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - DNS Directly to the Internet\t", + "query": "destination.port:53 and not destination.ip: 169.254.169.254/32 and not destination.ip:127.0.0.53/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:53 and not destination.ip: 169.254.169.254/32 and not destination.ip:127.0.0.53/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 7462fd445d1ec1..99a126f0613ec0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", - "risk_score": 50, "description": "Network - FTP (File Transfer Protocol) Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - FTP (File Transfer Protocol) Activity to the Internet\t", + "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 00976ea21cd44b..79814eb552d5ba 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", - "risk_score": 50, "description": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet\t", + "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index 6363dd7529cd6e..d370773e3879f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", - "risk_score": 50, "description": "Network - NAT Traversal Port Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - NAT Traversal Port Activity\t", + "query": "destination.port:4500", + "risk_score": 50, + "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:4500", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index bda9984167718f..cfdb5e6584ee37 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", - "risk_score": 50, "description": "Network - Port 26 Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Port 26 Activity\t", + "query": "destination.port:26", + "risk_score": 50, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:26", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json index efd92f988fd2bc..218109b73221d6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", - "risk_score": 50, "description": "Network - Port 8000 Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Port 8000 Activity", + "query": "destination.port:8000", + "risk_score": 50, + "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:8000", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 790773f5308bb6..5eeda8e094bb97 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", - "risk_score": 50, "description": "Network - Port 8000 Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Port 8000 Activity to the Internet\t", + "query": "destination.port:8000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:8000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index f22a23648a7fa4..7b83966e18e704 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", - "risk_score": 50, "description": "Network - PPTP (Point to Point Tunneling Protocol) Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - PPTP (Point to Point Tunneling Protocol) Activity\t", + "query": "destination.port:1723", + "risk_score": 50, + "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:1723", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index e7cc9b2b07cfdd..3a55db40504592 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", - "risk_score": 50, "description": "Network - Proxy Port Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Proxy Port Activity to the Internet\t", + "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index 69383d91ccbb90..e5c1e33470fa47 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "risk_score": 50, "description": "Network - RDP (Remote Desktop Protocol) from the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RDP (Remote Desktop Protocol) from the Internet\t", + "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index b069bd5e3ca67f..92316f2bb05daf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", - "risk_score": 50, "description": "Network - RDP (Remote Desktop Protocol) to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RDP (Remote Desktop Protocol) to the Internet\t", + "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index bef842ec2adc35..69d6d18ced8b9d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "risk_score": 50, "description": "Network - RPC (Remote Procedure Call) from the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RPC (Remote Procedure Call) from the Internet\t", + "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 15184aee86edb8..1f9a71bab92442 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "risk_score": 50, "description": "Network - RPC (Remote Procedure Call) to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - RPC (Remote Procedure Call) to the Internet\t", + "query": "destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 365490792ed377..627a89609cc21f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "risk_score": 50, "description": "Network - SMB (Windows File Sharing) Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SMB (Windows File Sharing) Activity to the Internet\t", + "query": "(destination.port:139 or destination.port:445) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:139 or destination.port:445) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index b16e84e8cea742..ff5a61cbe00e67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", - "risk_score": 50, "description": "Network - SMTP to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SMTP to the Internet\t", + "query": "destination.port:25 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:25 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index 4e884f0de11673..eeeb93e12938f0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", - "risk_score": 50, "description": "Network - SQL Server Port Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SQL Server Port Activity to the Internet\t", + "query": "destination.port:1433 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:1433 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index f7340b710be358..11f24626fa0c19 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", - "risk_score": 50, "description": "Network - SSH (Secure Shell) from the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SSH (Secure Shell) from the Internet\t", + "query": "destination.port:22 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:22 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index 21877b9716aaeb..ded8c005c4462e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", - "risk_score": 50, "description": "Network - SSH (Secure Shell) to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - SSH (Secure Shell) to the Internet\t", + "query": "destination.port:22 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:22 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 2d917277bcb85e..a48f311163c2da 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "risk_score": 50, "description": "Network - Telnet Port Activity\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Telnet Port Activity\t", + "query": "destination.port:23", + "risk_score": 50, + "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:23", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 991cc02a2123fa..713cc7da72e571 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", - "risk_score": 50, "description": "Network - Tor Activity to the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - Tor Activity to the Internet\t", + "query": "(destination.port:9001 or destination.port:9030) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:9001 or destination.port:9030) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 5fbffa0149783a..4f1dba808600e4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "risk_score": 50, "description": "Network - VNC (Virtual Network Computing) From the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - VNC (Virtual Network Computing) From the Internet\t", + "query": "destination.port:5800 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:5800 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 9d3608cb9e05df..fd04ae3ae7dee1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "risk_score": 50, "description": "Network - VNC (Virtual Network Computing) To the Internet\t", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Network - VNC (Virtual Network Computing) To the Internet\t", + "query": "destination.port:5800 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:5800 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json new file mode 100644 index 00000000000000..d563944171b7ac --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -0,0 +1,35 @@ +{ + "description": "Null user agent", + "enabled": false, + "filters": [ + { + "meta": { + "alias": null, + "negate": true, + "disabled": false, + "type": "exists", + "key": "user_agent.original", + "value": "exists", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + }, + "exists": { + "field": "user_agent.original" + }, + "$state": { + "store": "appState" + } + } + ], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Null user agent", + "query": "url.path: *", + "risk_score": 50, + "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json index ba86dd5bdf1dbb..075f77490a237c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json @@ -1,29 +1,22 @@ { - "rule_id": "8e792144-39a6-4a63-9779-2f12719dc132", - "risk_score": 50, "description": "Powershell network connection", - "immutable": true, - "interval": "5m", - "name": "Powershell network connection", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.name:powershell.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Network connection detected (rule: NetworkConnect)", + "negate": false, "params": { "query": "Network connection detected (rule: NetworkConnect)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Network connection detected (rule: NetworkConnect)" }, "query": { "match": { @@ -32,23 +25,23 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } }, { + "$state": { + "store": "appState" + }, "meta": { - "negate": true, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "destination.ip", - "value": "169.254.169.254", + "negate": true, "params": { "query": "169.254.169.254" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase", + "value": "169.254.169.254" }, "query": { "match": { @@ -57,12 +50,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Powershell network connection", + "query": "process.name:powershell.exe", + "risk_score": 50, + "rule_id": "8e792144-39a6-4a63-9779-2f12719dc132", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json index d6743c1ead4acb..5ed0ad3899b4ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json @@ -1,17 +1,17 @@ { - "rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb", - "risk_score": 50, "description": "Process Execution via WMI", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Process Execution via WMI", + "query": "process.name:scrcons.exe", + "risk_score": 50, + "rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:scrcons.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json index 99968dbdcc00db..c00b88e5f88ef2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json @@ -1,29 +1,22 @@ { - "rule_id": "c359628d-d5af-4a20-99df-aeeea109b690", - "risk_score": 50, "description": "Process started by Acrobat reader - possible payload", - "immutable": true, - "interval": "5m", - "name": "Process started by Acrobat reader - possible payload", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "process.parent.name:AcroRd32.exe", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by Acrobat reader - possible payload", + "query": "process.parent.name:AcroRd32.exe", + "risk_score": 50, + "rule_id": "c359628d-d5af-4a20-99df-aeeea109b690", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json index 9241a2a44eb069..5237b17e7d69f2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json @@ -1,29 +1,22 @@ { - "rule_id": "3181b814-08e3-43f9-b77a-a2530603b131", - "risk_score": 50, "description": "Process started by MS Office program - possible payload", - "immutable": true, - "interval": "5m", - "name": "Process started by MS Office program - possible payload", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": " process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by MS Office program - possible payload", + "query": " process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", + "risk_score": 50, + "rule_id": "3181b814-08e3-43f9-b77a-a2530603b131", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json index 3f1dc90c99c97e..1a686a4482df6e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json @@ -1,17 +1,17 @@ { - "rule_id": "b3da3321-417d-494b-854c-b40369e063f0", - "risk_score": 50, "description": "Process started by Windows Defender", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Process started by Windows Defender", + "query": "parent.process.name:MsMpEng.exe", + "risk_score": 50, + "rule_id": "b3da3321-417d-494b-854c-b40369e063f0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "parent.process.name:MsMpEng.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json index 3797b44c6d9670..b928e7dc805766 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "9511b7f4-3898-4813-8bd3-d810b03148ab", - "risk_score": 50, "description": "PSexec activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "PSexec activity", + "query": "process.name:PsExec.exe or process.name:PsExec64.exe", + "risk_score": 50, + "rule_id": "9511b7f4-3898-4813-8bd3-d810b03148ab", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:PsExec.exe or process.name:PsExec64.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json index 86c1c36f4b832c..ab76b1ed9ff9ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json @@ -1,16 +1,6 @@ { - "rule_id": "5d00c579-794c-4f64-be52-1ed8cae2b11e", - "risk_score": 50, "description": "(Search) Windows 10", - "immutable": true, - "interval": "5m", - "name": "(Search) Windows 10", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "", - "language": "kuery", + "enabled": false, "filters": [ { "$state": { @@ -19,13 +9,13 @@ "meta": { "alias": null, "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "agent.hostname", "negate": false, "params": { "query": "LAPTOP-CQNI37L2" }, - "type": "phrase", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase" }, "query": { "match": { @@ -37,16 +27,19 @@ } }, { + "$state": { + "store": "appState" + }, "meta": { "alias": null, - "negate": false, "disabled": false, - "type": "phrase", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.provider", + "negate": false, "params": { "query": "Microsoft-Windows-Sysmon" }, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + "type": "phrase" }, "query": { "match": { @@ -55,12 +48,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "(Search) Windows 10", + "query": "", + "risk_score": 50, + "rule_id": "5d00c579-794c-4f64-be52-1ed8cae2b11e", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json index 554ddb1468d0ba..e20197dfd2c928 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json @@ -1,17 +1,17 @@ { - "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d", - "risk_score": 50, "description": "Splunk - Child Processes of Spoolsv.exe", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Child Processes of Spoolsv.exe", + "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", + "risk_score": 50, + "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json index 30dd0023b44914..11186bfb44d62b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json @@ -1,17 +1,17 @@ { - "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00", - "risk_score": 50, "description": "Splunk - Detect Large Outbound ICMP Packets", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect Large Outbound ICMP Packets", + "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json index 8ae0c57d6aeaae..724985b2d1de8e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json @@ -1,17 +1,17 @@ { - "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba", - "risk_score": 50, "description": "Splunk - Detect Long DNS TXT Record Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect Long DNS TXT Record Response", + "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", + "risk_score": 50, + "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json index 39cb60d130a690..c0e773f09b1684 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json @@ -1,17 +1,17 @@ { - "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16", - "risk_score": 50, "description": "Splunk - Detect New Local Admin account", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect New Local Admin account", + "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", + "risk_score": 50, + "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json index b8b4d5f34037d0..f9ad5793f25475 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json @@ -1,17 +1,17 @@ { - "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e", - "risk_score": 50, "description": "Splunk - Detect PsExec With accepteula Flag", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect PsExec With accepteula Flag", + "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", + "risk_score": 50, + "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json index 1cd29886f3cd04..0a67c3adeaea55 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json @@ -1,17 +1,17 @@ { - "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c", - "risk_score": 50, "description": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", + "risk_score": 50, + "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json index cbedcb655990f4..466f9aff019426 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json @@ -1,17 +1,17 @@ { - "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6", - "risk_score": 50, "description": "Splunk - Processes created by netsh", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Processes created by netsh", + "query": "process.parent.name:netsh.exe", + "risk_score": 50, + "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:netsh.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json index c25e6211a3bb98..cc54721cd92f2f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json @@ -1,17 +1,17 @@ { - "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd", - "risk_score": 50, "description": "Splunk - Processes launching netsh", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Processes launching netsh", + "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", + "risk_score": 50, + "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json index 12eafea8d88c9a..c68e074d438171 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json @@ -1,17 +1,17 @@ { - "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39", - "risk_score": 50, "description": "Splunk - Protocols passing authentication in cleartext", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Protocols passing authentication in cleartext", + "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", + "risk_score": 50, + "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json index 7317f491d1a9d4..5f36d6623bcfb2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json @@ -1,17 +1,17 @@ { - "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde", - "risk_score": 50, "description": "Splunk - Windows Event Log Cleared", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Splunk - Windows Event Log Cleared", + "query": "event.code:(1102 or 1100)", + "risk_score": 50, + "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:(1102 or 1100)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json new file mode 100644 index 00000000000000..48cf20bcbacf7e --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -0,0 +1,17 @@ +{ + "description": "SQLmap user agent", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "SQLmap user agent", + "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", + "risk_score": 50, + "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json index 332f174cad2cf8..05d54f6bdb4c63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json @@ -1,17 +1,43 @@ { - "rule_id": "6ff01a30-95dd-471c-b61d-0fd9ee2d0a20", - "risk_score": 50, "description": "Suricata Base64 Encoded Invoke-Command Powershell Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Base64 Encoded Invoke-Command Powershell Execution", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187) or rule.id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L179-L184", + "This group of signatures detect base-64 encoded variations of the 'Invoke-Command' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." + ], + "risk_score": 50, + "rule_id": "6ff01a30-95dd-471c-b61d-0fd9ee2d0a20", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1001", + "name": "data obfuscation", + "reference": "https://attack.mitre.org/techniques/T1001/" + }, + { + "id": "T1132", + "name": "data encoding", + "reference": "https://attack.mitre.org/techniques/T1132/" + } + ] + } + ], "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json index a86f7fa07e7d99..ac47a6877c5250 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json @@ -1,17 +1,43 @@ { - "rule_id": "d14d5401-0f7a-4933-b816-1b8f823e3d84", - "risk_score": 50, "description": "Suricata Base64 Encoded New-Object Powershell Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Base64 Encoded New-Object Powershell Execution", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193) or rule.id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L191-L196", + "This group of signatures detect base-64 encoded variations of the 'New-Object' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." + ], + "risk_score": 50, + "rule_id": "d14d5401-0f7a-4933-b816-1b8f823e3d84", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1001", + "name": "data obfuscation", + "reference": "https://attack.mitre.org/techniques/T1001/" + }, + { + "id": "T1132", + "name": "data encoding", + "reference": "https://attack.mitre.org/techniques/T1132/" + } + ] + } + ], "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json index 722ce65dd83e8b..972299bbd74b04 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json @@ -1,17 +1,43 @@ { - "rule_id": "372dce88-003d-4bcf-8c95-34ea8be180a1", - "risk_score": 50, "description": "Suricata Base64 Encoded Start-Process Powershell Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Base64 Encoded Start-Process Powershell Execution", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199) or rule.id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L191-L196", + "This group of signatures detect base-64 encoded variations of the 'Start-Process' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." + ], + "risk_score": 50, + "rule_id": "372dce88-003d-4bcf-8c95-34ea8be180a1", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1001", + "name": "data obfuscation", + "reference": "https://attack.mitre.org/techniques/T1001/" + }, + { + "id": "T1132", + "name": "data encoding", + "reference": "https://attack.mitre.org/techniques/T1132/" + } + ] + } + ], "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json index eb4fa0fe411a9f..bb6a57f905bf7d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "2a3d91c1-5065-46ab-bed0-93f80835b1d5", - "risk_score": 50, "description": "Suricata Category - A suspicious string was detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - A suspicious string was detected", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious string was detected\" or rule.category: \"A suspicious string was detected\")", + "risk_score": 50, + "rule_id": "2a3d91c1-5065-46ab-bed0-93f80835b1d5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious string was detected\" or rule.category: \"A suspicious string was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json index 3fc61c50927c77..9de1f5ad33712e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "f840129e-9089-4f46-8af1-0745e8f54713", - "risk_score": 50, "description": "Suricata Category - Attempted Administrator Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Administrator Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Administrator Privilege Gain\" or rule.category: \"Attempted Administrator Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "f840129e-9089-4f46-8af1-0745e8f54713", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json index e888b2076f137f..d0c3eb9ba2331c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json @@ -1,17 +1,17 @@ { - "rule_id": "a62927f4-2488-4679-b56f-cda1a7f4c9e1", - "risk_score": 50, "description": "Suricata Category - Attempted Denial of Service", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Denial of Service", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Denial of Service\" or rule.category: \"Attempted Denial of Service\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "a62927f4-2488-4679-b56f-cda1a7f4c9e1", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json index ae93e8bce78012..75995d657b4640 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json @@ -1,17 +1,17 @@ { - "rule_id": "88d69362-f496-41d6-8e6b-a2dbaed3513f", - "risk_score": 50, "description": "Suricata Category - Attempted Information Leak", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Information Leak", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Information Leak\" or rule.category: \"Attempted Information Leak\")", + "risk_score": 50, + "rule_id": "88d69362-f496-41d6-8e6b-a2dbaed3513f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Information Leak\" or rule.category: \"Attempted Information Leak\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json index c00e7a42aee06d..31d14a3b687089 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json @@ -1,17 +1,17 @@ { - "rule_id": "a84cd36c-dd5a-4e86-a2ce-44556c21cef0", - "risk_score": 50, "description": "Suricata Category - Attempted Login with Suspicious Username", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted Login with Suspicious Username", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"An attempted login using a suspicious username was detected\" or rule.category: \"An attempted login using a suspicious username was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "a84cd36c-dd5a-4e86-a2ce-44556c21cef0", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json index 1b2fcbee310da6..13300e8a17694d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "eabce895-4602-4d20-8bf9-11c903bb3e08", - "risk_score": 50, "description": "Suricata Category - Attempted User Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Attempted User Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted User Privilege Gain\" or rule.category: \"Attempted User Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "eabce895-4602-4d20-8bf9-11c903bb3e08", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json index feedffeaacc9c4..9c1e3ef1b39f8e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json @@ -1,17 +1,17 @@ { - "rule_id": "00503a3c-304c-421c-bfea-e5d8fdfd9726", - "risk_score": 50, "description": "Suricata Category - Client Using Unusual Port", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Client Using Unusual Port", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A client was using an unusual port\" or rule.category: \"A client was using an unusual port\")", + "risk_score": 50, + "rule_id": "00503a3c-304c-421c-bfea-e5d8fdfd9726", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A client was using an unusual port\" or rule.category: \"A client was using an unusual port\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json index e05461baf36de6..a4ef732c2e1bd5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "74cd4920-a441-41d2-8a23-5bee70626e60", - "risk_score": 50, "description": "Suricata Category - Crypto Currency Mining Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Crypto Currency Mining Activity", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Crypto Currency Mining Activity Detected\" or rule.category: \"Crypto Currency Mining Activity Detected\")", + "risk_score": 50, + "rule_id": "74cd4920-a441-41d2-8a23-5bee70626e60", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Crypto Currency Mining Activity Detected\" or rule.category: \"Crypto Currency Mining Activity Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json index 0e22aa66ca04dd..43f767f14b7e6c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json @@ -1,17 +1,17 @@ { - "rule_id": "e9fc5bd3-c8a1-442c-be6d-032da07c508b", - "risk_score": 50, "description": "Suricata Category - Decode of an RPC Query", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Decode of an RPC Query", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Decode of an RPC Query\" or rule.category: \"Decode of an RPC Query\")", + "risk_score": 50, + "rule_id": "e9fc5bd3-c8a1-442c-be6d-032da07c508b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Decode of an RPC Query\" or rule.category: \"Decode of an RPC Query\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json index 0810168bbaf158..74a566563f15a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json @@ -1,17 +1,17 @@ { - "rule_id": "190bd112-f831-4813-98b2-e45a934277c2", - "risk_score": 50, "description": "Suricata Category - Default Username and Password Login Attempt", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Default Username and Password Login Attempt", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempt to login by a default username and password\" or rule.category: \"Attempt to login by a default username and password\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "190bd112-f831-4813-98b2-e45a934277c2", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json index d6ef10a86c1845..d7a615807593e6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json @@ -1,17 +1,17 @@ { - "rule_id": "0e97e390-84db-4725-965a-a8b0b600f7be", - "risk_score": 50, "description": "Suricata Category - Denial of Service", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Denial of Service", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Denial of Service\" or rule.category: \"Denial of Service\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "0e97e390-84db-4725-965a-a8b0b600f7be", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json index 3f4975bcdfb144..e0bf4220d4467f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "42a60eaa-fd20-479b-b6ca-bdb88d47b34b", - "risk_score": 50, "description": "Suricata Category - Denial of Service Attack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Denial of Service Attack", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Denial of Service Attack\" or rule.category: \"Detection of a Denial of Service Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 100, + "rule_id": "42a60eaa-fd20-479b-b6ca-bdb88d47b34b", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json index f1f6177e015035..09a72e761cb409 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "4699296b-5127-475a-9d83-8434fcd18136", - "risk_score": 50, "description": "Suricata Category - Executable code was detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Executable code was detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Executable code was detected\" or rule.category: \"Executable code was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "4699296b-5127-475a-9d83-8434fcd18136", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json index 025f0f4d266f93..8c8f5565da4e64 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "b3111af8-79bf-4ec3-97ae-28d9ed9fbd38", - "risk_score": 50, "description": "Suricata Category - Exploit Kit Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Exploit Kit Activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Exploit Kit Activity Detected\" or rule.category: \"Exploit Kit Activity Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "b3111af8-79bf-4ec3-97ae-28d9ed9fbd38", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json index eab3cb59108617..39c42d81ee59d5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json @@ -1,17 +1,17 @@ { - "rule_id": "c7df9ecf-d6be-4ef8-9871-cb317dfff0b4", - "risk_score": 50, "description": "Suricata Category - External IP Address Retrieval", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - External IP Address Retrieval", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Device Retrieving External IP Address Detected\" or rule.category: \"Device Retrieving External IP Address Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "c7df9ecf-d6be-4ef8-9871-cb317dfff0b4", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json index 37b93ce6886d89..e4d15f667371f9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json @@ -1,17 +1,17 @@ { - "rule_id": "3309bffa-7c43-409a-acea-6631c1b077e5", - "risk_score": 50, "description": "Suricata Category - Generic ICMP event", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Generic ICMP event", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic ICMP event\" or rule.category: \"Generic ICMP event\")", + "risk_score": 25, + "rule_id": "3309bffa-7c43-409a-acea-6631c1b077e5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic ICMP event\" or rule.category: \"Generic ICMP event\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json index ed5a6dbe47f5a4..faaccc5eee9926 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json @@ -1,17 +1,17 @@ { - "rule_id": "6fd2deb4-a7a9-4221-8b7b-8d26836a8c30", - "risk_score": 50, "description": "Suricata Category - Generic Protocol Command Decode", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Generic Protocol Command Decode", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic Protocol Command Decode\" or rule.category: \"Generic Protocol Command Decode\")", + "risk_score": 25, + "rule_id": "6fd2deb4-a7a9-4221-8b7b-8d26836a8c30", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic Protocol Command Decode\" or rule.category: \"Generic Protocol Command Decode\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json index 7cec0f24570ec5..c58b4a5f4b13a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json @@ -1,17 +1,17 @@ { - "rule_id": "95df8ff4-7169-4c84-ae50-3561b1d1bc91", - "risk_score": 50, "description": "Suricata Category - Information Leak", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Information Leak", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Information Leak\" or rule.category: \"Information Leak\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "95df8ff4-7169-4c84-ae50-3561b1d1bc91", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json index c871624f86d9f1..b1916165c6e903 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json @@ -1,17 +1,17 @@ { - "rule_id": "ca98de30-c703-4170-97ae-ab2b340f6080", - "risk_score": 50, "description": "Suricata Category - Large Scale Information Leak", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Large Scale Information Leak", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Large Scale Information Leak\" or rule.category: \"Large Scale Information Leak\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "ca98de30-c703-4170-97ae-ab2b340f6080", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json index e0b7e41b67b92d..4682f973bdfc93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "56656341-2940-4a69-b8fe-acf3c734f540", - "risk_score": 50, "description": "Suricata Category - Malware Command and Control Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Malware Command and Control Activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Malware Command and Control Activity Detected\" or rule.category: \"Malware Command and Control Activity Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 100, + "rule_id": "56656341-2940-4a69-b8fe-acf3c734f540", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json index aad3b2c5057cef..49928bd4caaa53 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "403ddbde-a486-4dd7-b932-cee4ebef88b6", - "risk_score": 50, "description": "Suricata Category - Misc Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Misc Activity", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc activity\" or rule.category: \"Misc activity\")", + "risk_score": 25, + "rule_id": "403ddbde-a486-4dd7-b932-cee4ebef88b6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc activity\" or rule.category: \"Misc activity\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json index eea27b6fa8ae2e..34c9059d264981 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "83277123-749f-49da-ad3d-d59f35490db1", - "risk_score": 50, "description": "Suricata Category - Misc Attack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Misc Attack", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc Attack\" or rule.category: \"Misc Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "83277123-749f-49da-ad3d-d59f35490db1", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json index 0eb2b136bbef9d..9bc0572e257795 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "7e969b45-d005-4173-aee7-a7aaa79bc372", - "risk_score": 50, "description": "Suricata Category - Network Scan Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Network Scan Detected", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Network Scan\" or rule.category: \"Detection of a Network Scan\")", + "risk_score": 25, + "rule_id": "7e969b45-d005-4173-aee7-a7aaa79bc372", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Network Scan\" or rule.category: \"Detection of a Network Scan\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json index f3aeb8393c13f1..b319d5d2be079b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "76ffa464-ec03-42e1-87ee-87760c331061", - "risk_score": 50, "description": "Suricata Category - Network Trojan Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Network Trojan Detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A Network Trojan was detected\" or rule.category: \"A Network Trojan was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 100, + "rule_id": "76ffa464-ec03-42e1-87ee-87760c331061", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json index c3b696afa8e439..c104b1d2acc450 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json @@ -1,17 +1,17 @@ { - "rule_id": "82f9f485-873b-4eeb-b231-052ab81e05b8", - "risk_score": 50, "description": "Suricata Category - Non-Standard Protocol or Event", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Non-Standard Protocol or Event", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a non-standard protocol or event\" or rule.category: \"Detection of a non-standard protocol or event\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "82f9f485-873b-4eeb-b231-052ab81e05b8", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json index e26180a429a812..4ff46e429c4c3a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json @@ -1,17 +1,17 @@ { - "rule_id": "c0f684ff-4f15-44e7-912d-aa8b8f08a910", - "risk_score": 50, "description": "Suricata Category - Not Suspicious Traffic", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Not Suspicious Traffic", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Not Suspicious Traffic\" or rule.category: \"Not Suspicious Traffic\")", + "risk_score": 25, + "rule_id": "c0f684ff-4f15-44e7-912d-aa8b8f08a910", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Not Suspicious Traffic\" or rule.category: \"Not Suspicious Traffic\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json index 7a11a3738b7a41..6b06e23648cbdb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json @@ -1,17 +1,17 @@ { - "rule_id": "8adfa89f-aa90-4d26-9d7a-7da652cae902", - "risk_score": 50, "description": "Suricata Category - Observed C2 Domain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Observed C2 Domain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Domain Observed Used for C2 Detected\" or rule.category: \"Domain Observed Used for C2 Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "8adfa89f-aa90-4d26-9d7a-7da652cae902", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json index f21da57a4d7b74..7c4f096280ed47 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json @@ -1,17 +1,17 @@ { - "rule_id": "7d2d5a5f-f590-407d-933a-42adb1a7bcef", - "risk_score": 50, "description": "Suricata Category - Possible Social Engineering Attempted", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Possible Social Engineering Attempted", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possible Social Engineering Attempted\" or rule.category: \"Possible Social Engineering Attempted\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "7d2d5a5f-f590-407d-933a-42adb1a7bcef", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json index 7303185c6e9a4f..7e5f92c15e4141 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json @@ -1,17 +1,17 @@ { - "rule_id": "1b9a31e8-fdfa-400e-aa4e-79a7f1a1da18", - "risk_score": 50, "description": "Suricata Category - Possibly Unwanted Program", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Possibly Unwanted Program", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possibly Unwanted Program Detected\" or rule.category: \"Possibly Unwanted Program Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "1b9a31e8-fdfa-400e-aa4e-79a7f1a1da18", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json index d3f867778bb43b..221cfaab48e004 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json @@ -1,17 +1,17 @@ { - "rule_id": "1c70f5d5-eae0-4d00-b35a-d34ca607094e", - "risk_score": 50, "description": "Suricata Category - Potential Corporate Privacy Violation", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Potential Corporate Privacy Violation", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potential Corporate Privacy Violation\" or rule.category: \"Potential Corporate Privacy Violation\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "1c70f5d5-eae0-4d00-b35a-d34ca607094e", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json index f77fe14014db30..fc1baf20147577 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json @@ -1,17 +1,17 @@ { - "rule_id": "197cdd5a-9880-4780-a87c-594d0ed2b7b4", - "risk_score": 50, "description": "Suricata Category - Potentially Bad Traffic", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Potentially Bad Traffic", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potentially Bad Traffic\" or rule.category: \"Potentially Bad Traffic\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "197cdd5a-9880-4780-a87c-594d0ed2b7b4", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json index 1665f8ca824249..cfcb246d44f4d1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json @@ -1,17 +1,17 @@ { - "rule_id": "0993e926-1a01-4c28-918a-cdd5741a19a8", - "risk_score": 50, "description": "Suricata Category - Potentially Vulnerable Web Application Access", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Potentially Vulnerable Web Application Access", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"access to a potentially vulnerable web application\" or rule.category: \"access to a potentially vulnerable web application\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "0993e926-1a01-4c28-918a-cdd5741a19a8", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json index e7b636c421c161..919083650682c9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "f068e655-1f52-4d81-839a-9c08c6543ceb", - "risk_score": 50, "description": "Suricata Category - Successful Administrator Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Successful Administrator Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Administrator Privilege Gain\" or rule.category: \"Successful Administrator Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "f068e655-1f52-4d81-839a-9c08c6543ceb", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json index bb87b86a75860a..feb708316fbd8a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json @@ -1,17 +1,17 @@ { - "rule_id": "90f3e735-2187-4e8e-8d28-6e3249964851", - "risk_score": 50, "description": "Suricata Category - Successful Credential Theft", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Successful Credential Theft", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Credential Theft Detected\" or rule.category: \"Successful Credential Theft Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "90f3e735-2187-4e8e-8d28-6e3249964851", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json index d6af6e2baabea2..8a7e366d25e585 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "f8ebd022-6e92-4b80-ac49-7ee011ba2ce0", - "risk_score": 50, "description": "Suricata Category - Successful User Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Successful User Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful User Privilege Gain\" or rule.category: \"Successful User Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "f8ebd022-6e92-4b80-ac49-7ee011ba2ce0", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json index 205940bb7d0bc3..356c0d23dd4e9c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "d0489b07-8140-4e3d-a2b7-52f2c06fdc7c", - "risk_score": 50, "description": "Suricata Category - Suspicious Filename Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Suspicious Filename Detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious filename was detected\" or rule.category: \"A suspicious filename was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 25, + "rule_id": "d0489b07-8140-4e3d-a2b7-52f2c06fdc7c", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json index a86ea16ddf2077..f41692fb218412 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "44a5c55a-a34f-43c3-8f21-df502862aa9b", - "risk_score": 50, "description": "Suricata Category - System Call Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - System Call Detected", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A system call was detected\" or rule.category: \"A system call was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "44a5c55a-a34f-43c3-8f21-df502862aa9b", + "severity": "medium", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json index 8923c07341b935..9c13b53f43263d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "d299379d-41de-4640-96b6-77aaa9adfa6f", - "risk_score": 50, "description": "Suricata Category - Targeted Malicious Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Targeted Malicious Activity", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Targeted Malicious Activity was Detected\" or rule.category: \"Targeted Malicious Activity was Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "d299379d-41de-4640-96b6-77aaa9adfa6f", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json index a1e400c71b8be2..eb41269d58ffa1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "ddf402cf-307d-4f46-a25d-dce3aee1ad13", - "risk_score": 50, "description": "Suricata Category - TCP Connection Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - TCP Connection Detected", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A TCP connection was detected\" or rule.category: \"A TCP connection was detected\")", + "risk_score": 0, + "rule_id": "ddf402cf-307d-4f46-a25d-dce3aee1ad13", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A TCP connection was detected\" or rule.category: \"A TCP connection was detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json index 28ae09a6cbe5c8..a260d049633b98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json @@ -1,17 +1,17 @@ { - "rule_id": "827ea90c-00c2-45f7-b873-dd060297b2d2", - "risk_score": 50, "description": "Suricata Category - Unknown Traffic", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Unknown Traffic", + "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unknown Traffic\" or rule.category: \"Unknown Traffic\")", + "risk_score": 25, + "rule_id": "827ea90c-00c2-45f7-b873-dd060297b2d2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unknown Traffic\" or rule.category: \"Unknown Traffic\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json index 5eba26752f7177..c57cc857cef676 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json @@ -1,17 +1,17 @@ { - "rule_id": "85471d30-78c9-48f6-b2db-ab5b2547e450", - "risk_score": 50, "description": "Suricata Category - Unsuccessful User Privilege Gain", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Unsuccessful User Privilege Gain", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unsuccessful User Privilege Gain\" or rule.category: \"Unsuccessful User Privilege Gain\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 50, + "rule_id": "85471d30-78c9-48f6-b2db-ab5b2547e450", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json index 6cd7b2d87ac1aa..4014473971b8ef 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "e856918b-f26e-4893-84b9-3deb65046fb7", - "risk_score": 50, "description": "Suricata Category - Web Application Attack", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Category - Web Application Attack", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Web Application Attack\" or rule.category: \"Web Application Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "risk_score": 75, + "rule_id": "e856918b-f26e-4893-84b9-3deb65046fb7", + "severity": "high", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json index bffcd182358398..e77e977d780d5e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json @@ -1,17 +1,17 @@ { - "rule_id": "481ef0f5-beda-4fa2-8bfb-039c95500deb", - "risk_score": 50, "description": "Suricata CobaltStrike Artifact in an DNS Request", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata CobaltStrike Artifact in an DNS Request", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610166 or 2610167 or 2610168) or rule.id: (2610166 or 2610167 or 2610168))", + "risk_score": 100, + "rule_id": "481ef0f5-beda-4fa2-8bfb-039c95500deb", + "severity": "high", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610166 or 2610167 or 2610168)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json index 334a632697a817..a866c79a858224 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "1844dfe1-b05e-4ca6-b367-6b9e3a1fe227", - "risk_score": 50, "description": "Suricata Commonly Abused DNS Domain Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Commonly Abused DNS Domain Detected", + "query": " event.module:suricata and event.kind:alert and (suricata.eve.alert.signature:(TGI* and *HUNT* and *Abused* and *TLD*) or rule.description:(TGI* and *HUNT* and *Abused* and *TLD*))", + "risk_score": 25, + "rule_id": "1844dfe1-b05e-4ca6-b367-6b9e3a1fe227", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature:(TGI* and *HUNT* and *Abused* and *TLD*) and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json index 098b873210d6fa..862d5417fadcc4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json @@ -1,17 +1,17 @@ { - "rule_id": "c0ca8090-60f8-4458-befe-c43687b648a3", - "risk_score": 50, "description": "Suricata Directory Reversal Characters in an HTTP Request", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Directory Reversal Characters in an HTTP Request", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610161 or 2610162)", + "risk_score": 50, + "rule_id": "c0ca8090-60f8-4458-befe-c43687b648a3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610161 or 2610162)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json new file mode 100644 index 00000000000000..73cb913e271a16 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json @@ -0,0 +1,38 @@ +{ + "description": "Suricata Directory Traversal Characters in an HTTP Request Header", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata Directory Traversal Characters in an HTTP Request Header", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610161 or 2610162) or rule.id: (2610161 or 2610162))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L179-L184", + "This group of signatures detects directory traversal characters in a header of an HTTP request. This is not something you should see on a typical network and could indicate an attempt to exploit the web application." + ], + "risk_score": 50, + "rule_id": "7c663c8d-cdfd-4605-9dd6-d682fa4ade8c", + "severity": "medium", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json index 3da22fcb912a88..c9d0db8ed300ee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json @@ -1,17 +1,38 @@ { - "rule_id": "a6406974-ea70-45b5-b5d8-ca17695adbde", - "risk_score": 50, "description": "Suricata Directory Traversal Characters in HTTP Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Directory Traversal Characters in HTTP Response", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610086 or rule.id:2610086)", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L89", + "This group of signatures detects directory traversal characters in a header of an HTTP response. This is not something you should see on a typical network and could indicate an attempt to exploit the web application." + ], + "risk_score": 75, + "rule_id": "a6406974-ea70-45b5-b5d8-ca17695adbde", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], "to": "now", - "query": "suricata.eve.alert.signature_id:2610086 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json index 370f9f6ba83fc4..65f8195751fc52 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json @@ -1,17 +1,38 @@ { - "rule_id": "d5d990bc-303c-4241-8138-6ba3cf2ee93e", - "risk_score": 50, "description": "Suricata Directory Traversal in Downloaded Zip File", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Directory Traversal in Downloaded Zip File", - "severity": "low", - "type": "query", - "from": "now-6m", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610085 or rule.id:2610085)", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L88", + "This group of signatures detects directory traversal characters in a zip archive downloaded over the network. This is not something you should see on a typical network and could indicate an attempt to trick a user to overwrite system files." + ], + "risk_score": 75, + "rule_id": "d5d990bc-303c-4241-8138-6ba3cf2ee93e", + "severity": "medium", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1204", + "name": "user execution", + "reference": "https://attack.mitre.org/techniques/T1204/" + } + ] + } + ], "to": "now", - "query": "suricata.eve.alert.signature_id:2610085 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json index 9389897a95b872..bd73b822f9f495 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json @@ -1,17 +1,38 @@ { - "rule_id": "deeae336-4ff7-4cf8-ae5b-18bce05da02e", - "risk_score": 50, - "description": "Suricata DNS Traffic on Unusual TCP Port", + "description": "Suricata DNS Traffic on Unusual Port (TCP or UDP)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", - "name": "Suricata DNS Traffic on Unusual TCP Port", + "language": "kuery", + "name": "Suricata DNS Traffic on Unusual Port", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610015 or 2610013) or rule.id: (2610015 or 2610013))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L14-L16", + "This detects DNS traffic running on an unusual port. This could indicate an application that is misconfigured or attempting to bypass security controls." + ], + "risk_score": 50, + "rule_id": "deeae336-4ff7-4cf8-ae5b-18bce05da02e", "severity": "low", - "type": "query", - "from": "now-6m", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "command and control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "techniques": [ + { + "id": "T1065", + "name": "uncommonly used port", + "reference": "https://attack.mitre.org/techniques/T1065/" + } + ] + } + ], "to": "now", - "query": "suricata.eve.alert.signature_id:2610013 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json index a6bcf664bf803f..eb9b06f3cab145 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json @@ -1,17 +1,17 @@ { - "rule_id": "2343d9a4-365b-45b2-acb0-76934d43c75b", - "risk_score": 50, "description": "Suricata DNS Traffic on Unusual UDP Port", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata DNS Traffic on Unusual UDP Port", + "query": "suricata.eve.alert.signature_id:2610015 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "2343d9a4-365b-45b2-acb0-76934d43c75b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610015 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json index 005156b68ba982..eaed3aabed8f24 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json @@ -1,17 +1,17 @@ { - "rule_id": "1ed4d2d1-330c-4c7d-b32d-2d8805437946", - "risk_score": 50, "description": "Suricata Double Encoded Characters in a URI", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Double Encoded Characters in a URI", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610092 or 2610093 or 2610094 or 2610095)", + "risk_score": 50, + "rule_id": "1ed4d2d1-330c-4c7d-b32d-2d8805437946", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610092 or 2610093 or 2610094 or 2610095)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json index 2ff186a4026bba..136ea957be766e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "a839a360-94ae-4219-b1cc-458d836333a7", - "risk_score": 50, "description": "Suricata Double Encoded Characters in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Double Encoded Characters in an HTTP POST", + "query": "suricata.eve.alert.signature_id:2610090 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "a839a360-94ae-4219-b1cc-458d836333a7", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610090 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json new file mode 100644 index 00000000000000..3cbdb6da3c141f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json @@ -0,0 +1,38 @@ +{ + "description": "Suricata Double Encoded Characters in a URI", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata Double Encoded Characters in a URI", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610090 or 2610092 or 2610093 or 2610094 or 2610095) or rule.id: (2610090 or 2610092 or 2610093 or 2610094 or 2610095))", + "references": [ + "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules", + "This group of signatures detects double encoding of characters in an HTTP request. This is not something you should see on a typical network and could indicate an attempt to exploit the web application or bypass detections." + ], + "risk_score": 25, + "rule_id": "8aedfe6f-9219-463b-808b-91e7ea8ea5e8", + "severity": "low", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json index 16f47eb0ba663d..986ac161d70df1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json @@ -1,17 +1,17 @@ { - "rule_id": "8c77b4ed-4e98-438b-adb0-d645d4a4ea26", - "risk_score": 50, "description": "Suricata eval PHP Function in an HTTP Request", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata eval PHP Function in an HTTP Request", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610088 or rule.id: 2610088)", + "risk_score": 50, + "rule_id": "8c77b4ed-4e98-438b-adb0-d645d4a4ea26", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610088 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json new file mode 100644 index 00000000000000..54b881428aa34c --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027349 or 2027350) or rule.id: (2027349 or 2027350))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2018-1000861"], + "risk_score": 100, + "rule_id": "ada41f8a-92b1-49d0-80ac-c4bc28824ab5", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json new file mode 100644 index 00000000000000..c050b73114bf52 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004698) or rule.id: (10004698))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0227"], + "risk_score": 100, + "rule_id": "2c8f321c-ba84-4c16-80dd-f20ea06e0c6d", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json new file mode 100644 index 00000000000000..9522a286f7898c --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004953) or rule.id: (10004953))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0232"], + "risk_score": 100, + "rule_id": "fd7ef9a2-f010-49c1-8e08-31d84a9607dd", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json new file mode 100644 index 00000000000000..95940a5396b943 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027096) or rule.id: (2027096))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0604"], + "risk_score": 100, + "rule_id": "ec50104d-26b1-45a6-b80e-768bd13cc34c", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json new file mode 100644 index 00000000000000..401e1e815ea521 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004867 or 2027369) or rule.id: (10004867 or 2027369))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0708"], + "risk_score": 100, + "rule_id": "1589bff6-ec82-4acf-8f67-68ef0f3676d0", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json new file mode 100644 index 00000000000000..5f256681aedd9f --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027721) or rule.id: (2027721))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0752"], + "risk_score": 100, + "rule_id": "5aa5f6db-2cc7-43de-ac8b-c7daa52ba9c3", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json new file mode 100644 index 00000000000000..c470783b0266d3 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027349 or 2027350 or 2027346) or rule.id: (2027349 or 2027350 or 2027346))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1003000"], + "risk_score": 100, + "rule_id": "6deba829-00ac-4298-bc80-976e4ef215d2", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json new file mode 100644 index 00000000000000..2c18ecc3104fd2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027442) or rule.id: (2027442))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-10149"], + "risk_score": 100, + "rule_id": "e52d833a-0642-4076-89e9-6b7263361cee", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json new file mode 100644 index 00000000000000..0e2c8cfa7339d2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028895) or rule.id: (2028895))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11043"], + "risk_score": 100, + "rule_id": "7955c692-1259-4f77-aa9e-95a98b69d4aa", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json new file mode 100644 index 00000000000000..65a6874f09932a --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027904) or rule.id: (2027904))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11510"], + "risk_score": 100, + "rule_id": "d2dbbfee-2104-4d20-b562-d466b0b2c5ef", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json new file mode 100644 index 00000000000000..6e3e8bc8cdbb72 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027712) or rule.id: (2027712))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11580"], + "risk_score": 100, + "rule_id": "f6e6c803-b44c-44b1-acbb-cd3e5bca10f8", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json new file mode 100644 index 00000000000000..34b93871fa10b6 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027711) or rule.id: (2027711))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11581"], + "risk_score": 100, + "rule_id": "720663fb-23da-43a5-bf4f-907265e5426d", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json new file mode 100644 index 00000000000000..ae014db82194eb --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027696) or rule.id: (2027696))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-13450"], + "risk_score": 100, + "rule_id": "04a9d926-51bb-4981-8116-04ee63f1ad75", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json new file mode 100644 index 00000000000000..5a70886a844699 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027706) or rule.id: (2027706))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-13505"], + "risk_score": 100, + "rule_id": "7b47f6a7-ae2a-46a1-a718-641649dfbfd6", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json new file mode 100644 index 00000000000000..cbede3be1782bf --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SERVER Webmin RCE CVE-2019-15107", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SERVER Webmin RCE CVE-2019-15107", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027896) or rule.id: (2027896))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-15107"], + "risk_score": 100, + "rule_id": "37f923c4-048d-4a17-b804-b4f895477962", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json new file mode 100644 index 00000000000000..99ac06aa715aab --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027959 or 2027960) or rule.id: (2027959 or 2027960))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-15846"], + "risk_score": 100, + "rule_id": "1d625e03-a21b-40c8-82c0-edb497a48254", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json new file mode 100644 index 00000000000000..0fe9cde7307e8c --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029159 or 2029158) or rule.id: (2029159 or 2029158))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16072"], + "risk_score": 100, + "rule_id": "5cf97dad-2327-4010-8498-64e5d53fd317", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json new file mode 100644 index 00000000000000..254c6019a039d3 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2026860) or rule.id: (2026860))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1652"], + "risk_score": 100, + "rule_id": "ed220bf3-6617-41c3-8a03-8726d17e3dfc", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json new file mode 100644 index 00000000000000..d804e7dc181739 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028933) or rule.id: (2028933))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16662"], + "risk_score": 100, + "rule_id": "777097d9-059e-409f-9509-67d7f90aea8c", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json new file mode 100644 index 00000000000000..7ceebbe31c0ea2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028621 or 2028625 or 2028826) or rule.id: (2028621 or 2028625 or 2028826))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16759"], + "risk_score": 100, + "rule_id": "145634a6-6d3d-4e78-bd51-ffe6f69f6bbb", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json new file mode 100644 index 00000000000000..2c970e3248a642 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028636) or rule.id: (2028636))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16928"], + "risk_score": 100, + "rule_id": "39bb4ff1-ec7c-4379-9a07-ad24b83060bf", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json new file mode 100644 index 00000000000000..2ed70492f52cad --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029153 or 2029152) or rule.id: (2029153 or 2029152))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-17270"], + "risk_score": 100, + "rule_id": "e6f42ad9-c024-46de-99d8-492d780cdd5e", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json new file mode 100644 index 00000000000000..9c84f3042e86ce --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027368) or rule.id: (2027368))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1821"], + "risk_score": 100, + "rule_id": "5aed0105-a86a-4502-9a8b-169ee24b0c7f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json new file mode 100644 index 00000000000000..2ee5d4bff1cbe5 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029206 or 2029255) or rule.id: (2029206 or 2029255))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-19781"], + "risk_score": 100, + "rule_id": "6fde4e79-bf78-4173-b395-73377e289a73", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json new file mode 100644 index 00000000000000..7ca97786945ff1 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004781) or rule.id: (10004781))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-2618"], + "risk_score": 100, + "rule_id": "7ba6a778-647c-4506-8314-8206cf31f513", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json new file mode 100644 index 00000000000000..66a7c63c9b3735 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004779 or 10004927) or rule.id: (10004779 or 10004927))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-2725"], + "risk_score": 100, + "rule_id": "f7879284-38e9-40d4-a471-6e1b38fd5a9f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json new file mode 100644 index 00000000000000..b4a0f0284665dd --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004699 or 2027333) or rule.id: (10004699 or 2027333))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-3396"], + "risk_score": 100, + "rule_id": "d51ce0e4-31fa-4ffb-a1a6-7f9fa386ea52", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json new file mode 100644 index 00000000000000..ae6e48baa0fa6a --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027451 or 2027450) or rule.id: (2027451 or 2027450))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-3929"], + "risk_score": 100, + "rule_id": "0a6fefd6-22dd-4c78-aba8-e949b04360b4", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json new file mode 100644 index 00000000000000..42d9793336ae36 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028928) or rule.id: (2028928))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-5533"], + "risk_score": 100, + "rule_id": "65012760-1f26-47a3-b2d3-a685d638483f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json new file mode 100644 index 00000000000000..cd55b6be262dcb --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json @@ -0,0 +1,35 @@ +{ + "description": "ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004555) or rule.id: (10004555))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-6340"], + "risk_score": 100, + "rule_id": "4b2b4879-45c6-4721-b058-143f07aa474f", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json new file mode 100644 index 00000000000000..e8cfcb0cfc7916 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json @@ -0,0 +1,35 @@ +{ + "description": "ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029207) or rule.id: (2029207))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-7256"], + "risk_score": 100, + "rule_id": "8ef47e09-39f5-494a-82b7-3aca4310ea96", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json new file mode 100644 index 00000000000000..0537004ae4b2d5 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json @@ -0,0 +1,35 @@ +{ + "description": "ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suricata ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978", + "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027315) or rule.id: (2027315))", + "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-9978"], + "risk_score": 100, + "rule_id": "6b185518-b84a-44b7-843c-01c95b5a2a83", + "severity": "high", + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "initial access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "techniques": [ + { + "id": "T1190", + "name": "exploit public-facing application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json index 40ada9bb874259..8c36a7052a720a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "b1adc850-0fe3-4dac-94d3-6f240071f83a", - "risk_score": 50, "description": "Suricata FTP Traffic on Unusual Port, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata FTP Traffic on Unusual Port, Internet Destination", + "query": "suricata.eve.alert.signature_id:2610005 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b1adc850-0fe3-4dac-94d3-6f240071f83a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610005 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json index 8da00c75cedc3b..72228ce1215755 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "43795909-913c-419d-8355-7f2880694bec", - "risk_score": 50, "description": "Suricata HTTP Traffic On Unusual Port, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata HTTP Traffic On Unusual Port, Internet Destination", + "query": " suricata.eve.alert.signature_id:2610001 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "43795909-913c-419d-8355-7f2880694bec", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " suricata.eve.alert.signature_id:2610001 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json index 4f7bfc2baaf37a..1f06fbb0a337db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "738ee70b-7d0f-438f-98ac-a393df58c58f", - "risk_score": 50, "description": "Suricata IMAP Traffic on Unusual Port, internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata IMAP Traffic on Unusual Port, internet Destination", + "query": "suricata.eve.alert.signature_id:2610009 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "738ee70b-7d0f-438f-98ac-a393df58c58f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610009 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json index ed46470838069b..9c2d818b88c5d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "c6e6f16f-66de-43d5-8ab7-599af536dedf", - "risk_score": 50, "description": "Suricata LaZagne Artifact in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata LaZagne Artifact in an HTTP POST", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610149 or 2610150)", + "risk_score": 50, + "rule_id": "c6e6f16f-66de-43d5-8ab7-599af536dedf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610149 or 2610150)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json index b3a8079c16f11d..0cbf4092bfa31d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "1b62e8af-c10d-4708-9a74-118cb1c9ed8a", - "risk_score": 50, "description": "Suricata Mimikatz Artifacts in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Mimikatz Artifacts in an HTTP POST", + "query": "suricata.eve.alert.signature_id:2610155 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "1b62e8af-c10d-4708-9a74-118cb1c9ed8a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610155 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json index c72f6b348e2593..730aaa63ab07db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json @@ -1,17 +1,17 @@ { - "rule_id": "2b365d3a-11a3-4bec-9698-b36c908f46ff", - "risk_score": 50, "description": "Suricata Mimikatz String Detected in HTTP Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Mimikatz String Detected in HTTP Response", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610144 or 2610145 or 2610146 or 2610147 or 2610148)", + "risk_score": 50, + "rule_id": "2b365d3a-11a3-4bec-9698-b36c908f46ff", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610144 or 2610145 or 2610146 or 2610147 or 2610148)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json index 66eff77cf43bcd..96f180fee09902 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json @@ -1,17 +1,17 @@ { - "rule_id": "67c7d28e-8be4-49ae-9c89-5c328ea245dc", - "risk_score": 50, "description": "Suricata non-DNS Traffic on TCP Port 53", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-DNS Traffic on TCP Port 53", + "query": "suricata.eve.alert.signature_id:2610014 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "67c7d28e-8be4-49ae-9c89-5c328ea245dc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610014 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json index e09a4357ba5d45..95458f14b0b2c6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json @@ -1,17 +1,17 @@ { - "rule_id": "ba6dea7f-ba98-4a86-b570-d05d85472e79", - "risk_score": 50, "description": "Suricata non-DNS Traffic on UDP Port 53", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-DNS Traffic on UDP Port 53", + "query": "suricata.eve.alert.signature_id:2610016 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "ba6dea7f-ba98-4a86-b570-d05d85472e79", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610016 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json index 405be74eb83400..42bcc2fa1bca19 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json @@ -1,17 +1,17 @@ { - "rule_id": "ee2b07ec-94dd-48b2-b46b-7bef47cc43fc", - "risk_score": 50, "description": "Suricata non-FTP Traffic on Port 21", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-FTP Traffic on Port 21", + "query": "suricata.eve.alert.signature_id:2610006 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "ee2b07ec-94dd-48b2-b46b-7bef47cc43fc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610006 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json index cd93ceec2374fb..af681646e8224f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json @@ -1,17 +1,17 @@ { - "rule_id": "70f9bd9f-accc-4da8-8674-38992096ddba", - "risk_score": 50, "description": "Suricata non-HTTP Traffic on TCP Port 80", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-HTTP Traffic on TCP Port 80", + "query": "suricata.eve.alert.signature_id:2610002 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "70f9bd9f-accc-4da8-8674-38992096ddba", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610002 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json index 39e5fd188aa4a7..548b35165028c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json @@ -1,17 +1,17 @@ { - "rule_id": "241b6a1d-4f73-4b68-bd98-22e909681930", - "risk_score": 50, "description": "Suricata non-IMAP Traffic on Port 1443 (IMAP)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-IMAP Traffic on Port 1443 (IMAP)", + "query": "suricata.eve.alert.signature_id:2610010 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "241b6a1d-4f73-4b68-bd98-22e909681930", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610010 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json index 0fd1c59a3bc629..a7e57103c633d9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json @@ -1,17 +1,17 @@ { - "rule_id": "c259ab53-4b1a-42f6-b204-fe057c521515", - "risk_score": 50, "description": "Suricata non-SMB Traffic on TCP Port 139 (SMB)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-SMB Traffic on TCP Port 139 (SMB)", + "query": "suricata.eve.alert.signature_id:2610011 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "c259ab53-4b1a-42f6-b204-fe057c521515", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610011 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json index 3d1cc2e61b1a9c..3e07bd7a97cb85 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json @@ -1,17 +1,17 @@ { - "rule_id": "256e9e8b-8366-4f23-8cbe-c9eb5ba25633", - "risk_score": 50, "description": "Suricata non-SSH Traffic on Port 22", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-SSH Traffic on Port 22", + "query": "suricata.eve.alert.signature_id:2610008 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "256e9e8b-8366-4f23-8cbe-c9eb5ba25633", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610008 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json index 1fd905e6e4647b..16dc9f46f0e32e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json @@ -1,17 +1,17 @@ { - "rule_id": "b060c87f-af49-40eb-acee-561a1f1331aa", - "risk_score": 50, "description": "Suricata non-TLS on TLS Port", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata non-TLS on TLS Port", + "query": "suricata.eve.alert.signature_id:2610004 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b060c87f-af49-40eb-acee-561a1f1331aa", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610004 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json index a6534d72a9655b..e8bc59f1b5268a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json @@ -1,17 +1,17 @@ { - "rule_id": "6099a760-7293-4e26-8aa8-b984abb32ac6", - "risk_score": 50, "description": "Suricata Possible Cobalt Strike Malleable C2 Null Response", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Possible Cobalt Strike Malleable C2 Null Response", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610202 or 2610203)", + "risk_score": 50, + "rule_id": "6099a760-7293-4e26-8aa8-b984abb32ac6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610202 or 2610203)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json index 0a8b4a9861f9be..8b208e5586726a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json @@ -1,17 +1,17 @@ { - "rule_id": "cdfbcd5e-1d8e-47e6-b3f2-b09bce780640", - "risk_score": 50, "description": "Suricata Possible SQL Injection - SQL Commands in HTTP Transactions", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Possible SQL Injection - SQL Commands in HTTP Transactions", + "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610117 or 2610118 or 2610118 or 2610119 or 2610121 or 2610122 or 2610123)", + "risk_score": 50, + "rule_id": "cdfbcd5e-1d8e-47e6-b3f2-b09bce780640", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610117 or 2610118 or 2610118 or 2610119 or 2610121 or 2610122 or 2610123)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json index 4431f46125ef3e..fe3d500b42d3e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json @@ -1,17 +1,17 @@ { - "rule_id": "87e77fb6-b555-43be-adc5-f57c6aaf7cd0", - "risk_score": 50, "description": "Suricata RPC Traffic on HTTP Ports", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata RPC Traffic on HTTP Ports", + "query": "suricata.eve.alert.signature_id:2610012 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "87e77fb6-b555-43be-adc5-f57c6aaf7cd0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610012 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json index a176be109f8ffa..a59cc42fa4557f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json @@ -1,17 +1,17 @@ { - "rule_id": "3baa5b65-d11e-40fb-a9b4-6b2a6a062d48", - "risk_score": 50, "description": "Suricata Serialized PHP Detected", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Serialized PHP Detected", + "query": "suricata.eve.alert.signature_id:2610091 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "3baa5b65-d11e-40fb-a9b4-6b2a6a062d48", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610091 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json index c1fdb1c083789e..e4fd0e866e7cf9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json @@ -1,17 +1,17 @@ { - "rule_id": "082fca48-4707-485a-aedb-340ee77e0687", - "risk_score": 50, "description": "Suricata shell_exec PHP Function in an HTTP POST", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata shell_exec PHP Function in an HTTP POST", + "query": "suricata.eve.alert.signature_id:2610087 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "082fca48-4707-485a-aedb-340ee77e0687", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610087 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json index ee0510d1e37ac1..a22c3a4fdfdd40 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "82265eef-1212-4c4f-af04-f977a3060592", - "risk_score": 50, "description": "Suricata SSH Traffic Not on Port 22, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata SSH Traffic Not on Port 22, Internet Destination", + "query": "suricata.eve.alert.signature_id:2610007 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "82265eef-1212-4c4f-af04-f977a3060592", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610007 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json index 3d0d5175168f1e..23f1f79bc42487 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json @@ -1,17 +1,17 @@ { - "rule_id": "6c1db8ba-db4b-4513-a0e3-b3c857ba8b05", - "risk_score": 50, "description": "Suricata TLS Traffic on Unusual Port, Internet Destination", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata TLS Traffic on Unusual Port, Internet Destination", + "query": "suricata.eve.alert.signature_id:2610003 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "6c1db8ba-db4b-4513-a0e3-b3c857ba8b05", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610003 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json index 7ab997b11fb263..9717beac902e5f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json @@ -1,17 +1,17 @@ { - "rule_id": "f7f038f4-b97a-4d0c-b3b6-d5fa1ad15951", - "risk_score": 50, "description": "Suricata Windows Executable Served by JPEG Web Content", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Suricata Windows Executable Served by JPEG Web Content", + "query": "suricata.eve.alert.signature_id:2610084 and (event.module:suricata and event.kind:alert)", + "risk_score": 50, + "rule_id": "f7f038f4-b97a-4d0c-b3b6-d5fa1ad15951", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "suricata.eve.alert.signature_id:2610084 and (event.module:suricata and event.kind:alert)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json index 43e246cf7c26f2..37cf174786f975 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json @@ -1,29 +1,22 @@ { - "rule_id": "e49b532b-3e52-4f3d-90f6-05a86982d347", - "risk_score": 50, "description": "Suspicious process started by a script", - "immutable": true, - "interval": "5m", - "name": "Suspicious process started by a script", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe)", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { - "negate": false, - "type": "phrase", + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", + "negate": false, "params": { "query": "Process Create (rule: ProcessCreate)" }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Process Create (rule: ProcessCreate)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suspicious process started by a script", + "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe)", + "risk_score": 50, + "rule_id": "e49b532b-3e52-4f3d-90f6-05a86982d347", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json index 5842b67076edda..301954fc587452 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", - "risk_score": 50, "description": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", + "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json index 4d87d53eb246d1..22429df353679c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", - "risk_score": 50, "description": "Windows Burp CE activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Burp CE activity", + "query": "process.name:BurpSuiteCommunity.exe", + "risk_score": 50, + "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:BurpSuiteCommunity.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json index 2e0c9e2b71ae64..6cf9a375586bae 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", - "risk_score": 50, "description": "Windows: Certutil Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Certutil Connecting to the Internet", + "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index 3a0e9a2f355669..c404bf7a05c85e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", - "risk_score": 50, "description": "Windows: Command Prompt Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Command Prompt Connecting to the Internet", + "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json new file mode 100644 index 00000000000000..1bcad8ae016ef8 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json @@ -0,0 +1,16 @@ +{ + "description": "Command shell started by Internet Explorer", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Internet Explorer", + "query": "process.parent.name:iexplore.exe and process.name:cmd.exe", + "risk_score": 50, + "rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json new file mode 100644 index 00000000000000..faa9694f658ff0 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -0,0 +1,16 @@ +{ + "description": "Command shell started by Powershell", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Powershell", + "query": "process.parent.name:powershell.exe and process.name:cmd.exe", + "risk_score": 50, + "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json new file mode 100644 index 00000000000000..aa371fea3f01d2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -0,0 +1,16 @@ +{ + "description": "Command shell started by Svchost", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Command shell started by Svchost", + "query": "process.parent.name:svchost.exe and process.name:cmd.exe", + "risk_score": 50, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json index 2273249c49b615..dec76deb3e8880 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json @@ -1,17 +1,17 @@ { - "rule_id": "66885745-ea38-432c-9edb-599b943948d4", - "risk_score": 50, "description": "Windows Credential Dumping Commands", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Credential Dumping Commands", + "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", + "risk_score": 50, + "rule_id": "66885745-ea38-432c-9edb-599b943948d4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json index 5c9c72efb7aa7c..de3fc49fefa374 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json @@ -1,17 +1,17 @@ { - "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", - "risk_score": 50, "description": "Windows Credential Dumping via ImageLoad", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Credential Dumping via ImageLoad", + "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", + "risk_score": 50, + "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json index 38e23c5759162a..016f49e22a8f8f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json @@ -1,17 +1,17 @@ { - "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", - "risk_score": 50, "description": "Windows Credential Dumping via Registry Save", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Credential Dumping via Registry Save", + "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", + "risk_score": 50, + "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json index 604c4148d30568..cf1334eda67781 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json @@ -1,17 +1,17 @@ { - "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", - "risk_score": 50, "description": "Windows Data Compression Using Powershell", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Data Compression Using Powershell", + "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", + "risk_score": 50, + "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json index 7d6e6c7d539763..f718e5effe8ae1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json @@ -1,17 +1,17 @@ { - "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", - "risk_score": 50, "description": "Windows Defense Evasion - Decoding Using Certutil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense Evasion - Decoding Using Certutil", + "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", + "risk_score": 50, + "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json index f8f2b6a3fac2a7..844a3fc2ac9ec2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json @@ -1,17 +1,17 @@ { - "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", - "risk_score": 50, "description": "Windows Defense Evasion or Persistence via Hidden Files", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense Evasion or Persistence via Hidden Files", + "query": "event.code:1 and process.name:attrib.exe and (process.args:\"+h\" or process.args:\"+s\")", + "risk_score": 50, + "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index 362ed715a8ebfb..b98b0e3f8d0aa1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,17 +1,17 @@ { - "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "risk_score": 50, "description": "Windows Defense evasion via Filter Manager", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense evasion via Filter Manager", + "query": "event.code:1 and process.name:fltmc.exe", + "risk_score": 50, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:fltmc.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json index e58399c8c39d24..2d37fedd30480d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json @@ -1,17 +1,17 @@ { - "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", - "risk_score": 50, "description": "Windows Defense Evasion via Windows Event Log Tools", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Defense Evasion via Windows Event Log Tools", + "query": "event.code:1 and process.name:wevtutil.exe", + "risk_score": 50, + "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:wevtutil.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index dac45ae03c237c..027556b7f24569 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,17 +1,17 @@ { - "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "risk_score": 50, "description": "Windows Execution via Compiled HTML File", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Compiled HTML File", + "query": "event.code:1 and process.name:hh.exe", + "risk_score": 50, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:hh.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json index f97b1da2d5885e..30d2f4e3c89360 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json @@ -1,17 +1,17 @@ { - "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", - "risk_score": 50, "description": "Windows Execution via Connection Manager", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Connection Manager", + "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", + "risk_score": 50, + "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json index 3a98dcc992e3db..aa67d2aebe64bb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json @@ -1,17 +1,17 @@ { - "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", - "risk_score": 50, "description": "Windows Execution via Microsoft HTML Application (HTA)", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Microsoft HTML Application (HTA)", + "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", + "risk_score": 50, + "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index be40d7616290fb..20e0eba610e957 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,17 +1,17 @@ { - "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", - "risk_score": 50, "description": "Windows Execution via .NET COM Assemblies", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via .NET COM Assemblies", + "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", + "risk_score": 50, + "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index c4351f70e385d0..9371ec67fcec5c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -1,17 +1,17 @@ { - "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", - "risk_score": 50, "description": "Windows Execution via Regsvr32", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Regsvr32", + "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", + "risk_score": 50, + "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index cf0701685af277..3153c0d38d2fd6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,17 +1,17 @@ { - "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", - "risk_score": 50, "description": "Windows Execution via Trusted Developer Utilities", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Execution via Trusted Developer Utilities", + "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", + "risk_score": 50, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 6fa1d4eae74613..4e39ab96840dff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", - "risk_score": 50, "description": "Windows: HTML Help executable Program Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: HTML Help executable Program Connecting to the Internet", + "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json index 6e735cae12985c..d00f671c7b606f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json @@ -1,29 +1,22 @@ { - "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", - "risk_score": 50, "description": "Windows image load from a temp directory", - "immutable": true, - "interval": "5m", - "name": "Windows image load from a temp directory", - "severity": "low", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "file.path:Temp", - "language": "kuery", + "enabled": false, "filters": [ { + "$state": { + "store": "appState" + }, "meta": { "alias": null, - "negate": false, - "type": "phrase", + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.action", - "value": "Image loaded (rule: ImageLoad)", + "negate": false, "params": { "query": "Image loaded (rule: ImageLoad)" }, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + "type": "phrase", + "value": "Image loaded (rule: ImageLoad)" }, "query": { "match": { @@ -32,12 +25,19 @@ "type": "phrase" } } - }, - "$state": { - "store": "appState" } } ], - "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Windows image load from a temp directory", + "query": "file.path:Temp", + "risk_score": 50, + "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", + "severity": "low", + "to": "now", + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json index bfcf40d403fbe5..cbde84a5fc8580 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", - "risk_score": 50, "description": "Windows Indirect Command Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Indirect Command Execution", + "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", + "risk_score": 50, + "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json index 7fb35a0176b442..e60c57ebc489a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", - "risk_score": 50, "description": "Windows Iodine activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Iodine activity", + "query": "event.code: 1 and process.name:iodine.exe or process.name:iodined.exe", + "risk_score": 50, + "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:iodine.exe or process.name:iodined.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json index b163dcc5c056e3..378b23825dc820 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", - "risk_score": 50, "description": "Windows Management Instrumentation (WMI) Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Management Instrumentation (WMI) Execution", + "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", + "risk_score": 50, + "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json index 647dc53a0d05fd..8b5dffeec67af4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", - "risk_score": 50, "description": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", + "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json index a6fa7f8942978a..1016d2c7af5f24 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", - "risk_score": 50, "description": "Windows Mimikatz activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Mimikatz activity", + "query": "event.code: 1 and process.name:mimikatz.exe", + "risk_score": 50, + "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:mimikatz.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index d2bf2985574015..e6d606384d4548 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", - "risk_score": 50, "description": "Windows: Misc LOLBin Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Misc LOLBin Connecting to the Internet", + "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json index cc5e4cec1d7bd8..f8689bb314857e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json @@ -1,53 +1,16 @@ { - "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", - "risk_score": 50, "description": "Windows net command activity by the SYSTEM account", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows net command activity by the SYSTEM account", + "query": "process.name: (net.exe or net1.exe) and user.name:SYSTEM", + "risk_score": 50, + "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "user.name:SYSTEM", - "language": "kuery", - "filters": [ - { - "meta": { - "type": "phrases", - "key": "process.name", - "value": "net.exe, net1.exe", - "params": [ - "net.exe", - "net1.exe" - ], - "alias": null, - "negate": false, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "bool": { - "should": [ - { - "match_phrase": { - "process.name": "net.exe" - } - }, - { - "match_phrase": { - "process.name": "net1.exe" - } - } - ], - "minimum_should_match": 1 - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json index 182f6a0c0928c9..6b895f30fd5c4e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", - "risk_score": 50, "description": "Windows net user command activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows net user command activity", + "query": "process.name:net.exe and process.args:user and event.code:1", + "risk_score": 50, + "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:net.exe and process.args:user", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json index fef425b72281f2..8b105514ec798b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", - "risk_score": 50, "description": "Windows Netcat activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Netcat activity", + "query": "process.name:ncat.exe and event.code:1", + "risk_score": 50, + "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:ncat.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json index 91b094785a9bb6..c16c91d9637e56 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", - "risk_score": 50, "description": "Windows Netcat network activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Netcat network activity", + "query": "process.name:ncat.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", + "risk_score": 50, + "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:ncat.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "connected-to", - "params": { - "query": "connected-to" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "connected-to", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json index c59bc4dfa41356..a22b12d242414a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json @@ -1,17 +1,17 @@ { - "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", - "risk_score": 50, "description": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", + "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", + "risk_score": 50, + "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json index 31409e087f8a5a..a0c3b5be64d1c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", - "risk_score": 50, "description": "Windows nmap activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows nmap activity", + "query": "process.name:nmap.exe and event.code:1", + "risk_score": 50, + "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:nmap.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json index 580cbe2abcb416..0195367b6f7125 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", - "risk_score": 50, "description": "Windows nmap scan activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows nmap scan activity", + "query": "process.name:nmap.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", + "risk_score": 50, + "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:nmap.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "alias": null, - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Network connection detected (rule: NetworkConnect)", - "params": { - "query": "Network connection detected (rule: NetworkConnect)" - }, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Network connection detected (rule: NetworkConnect)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json index 9c76c4273cafc1..421cadfa8a63d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json @@ -1,17 +1,17 @@ { - "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", - "risk_score": 50, "description": "Windows Payload Obfuscation via Certutil", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Payload Obfuscation via Certutil", + "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", + "risk_score": 50, + "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json index 98268e9f4ad661..47de4ba9ff6e74 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json @@ -1,17 +1,17 @@ { - "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", - "risk_score": 50, "description": "Windows Persistence or Priv Escalation via Hooking", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence or Priv Escalation via Hooking", + "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", + "risk_score": 50, + "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index 4db53da43399b6..c6e558a3be2607 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,17 +1,17 @@ { - "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "risk_score": 50, "description": "Windows Persistence via Application Shimming", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via Application Shimming", + "query": "event.code:1 and process.name:sdbinst.exe", + "risk_score": 50, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:sdbinst.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json index e2560badb7be61..b6d97628f98ec5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json @@ -1,17 +1,17 @@ { - "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", - "risk_score": 50, "description": "Windows Persistence via BITS Jobs", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via BITS Jobs", + "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", + "risk_score": 50, + "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json index 27300362fecf66..782ce7a6eec92b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json @@ -1,17 +1,17 @@ { - "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", - "risk_score": 50, "description": "Windows Persistence via Modification of Existing Service", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via Modification of Existing Service", + "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", + "risk_score": 50, + "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json index c0bd446f968c8d..19e6ac51158eb3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json @@ -1,17 +1,17 @@ { - "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", - "risk_score": 50, "description": "Windows Persistence via Netshell Helper DLL", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Persistence via Netshell Helper DLL", + "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", + "risk_score": 50, + "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json index dc3fed37a8c53d..50e3d6e0f38747 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", - "risk_score": 50, "description": "Windows: Powershell Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Powershell Connecting to the Internet", + "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index afeb03150dfcf1..96faa2a88e3a63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,17 +1,17 @@ { - "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "risk_score": 50, "description": "Windows Priv Escalation via Accessibility Features", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Priv Escalation via Accessibility Features", + "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", + "risk_score": 50, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 488943dea29498..572a9ede23e2af 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,17 +1,17 @@ { - "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", - "risk_score": 50, "description": "Windows Process Discovery via Tasklist Command", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Process Discovery via Tasklist Command", + "query": "event.code:1 and process.name:tasklist.exe", + "risk_score": 50, + "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and process.name:tasklist.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json new file mode 100644 index 00000000000000..9e29c82e48872e --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json @@ -0,0 +1,17 @@ +{ + "description": "Process Execution via WMI", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process Execution via WMI", + "query": "process.name:scrcons.exe", + "risk_score": 50, + "rule_id": "7e6cd4b9-6346-4683-b3e6-6a3e66f3208f", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json new file mode 100644 index 00000000000000..e96c223765cbdb --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json @@ -0,0 +1,16 @@ +{ + "description": "Process started by Acrobat reader - possible payload", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by Acrobat reader - possible payload", + "query": "process.parent.name:AcroRd32.exe and event.code:1", + "risk_score": 50, + "rule_id": "b6422896-b6e3-45c3-9d9e-4eccb2a25270", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json new file mode 100644 index 00000000000000..c2e185cd0c7ebf --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json @@ -0,0 +1,16 @@ +{ + "description": "Process started by MS Office program - possible payload", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Process started by MS Office program - possible payload", + "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE and event.code:1", + "risk_score": 50, + "rule_id": "838dcec6-ce9a-4cdd-9ca8-f6512cf6d559", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json index ea246b02643708..6902807cb51d11 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json @@ -1,43 +1,16 @@ { - "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", - "risk_score": 50, "description": "Windows process started by the Java runtime", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows process started by the Java runtime", + "query": "process.parent.name:javaw.exe and event.code:1", + "risk_score": 50, + "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.parent.name:javaw.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json new file mode 100644 index 00000000000000..280f061ed7785e --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json @@ -0,0 +1,17 @@ +{ + "description": "PSexec activity", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "PSexec activity", + "query": "process.name:PsExec.exe or process.name:PsExec64.exe", + "risk_score": 50, + "rule_id": "3e61ab8b-0f39-4d2e-ab64-332f0d0b3ad7", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index cce8effd5d536f..563553a24a3e7b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", - "risk_score": 50, "description": "Windows: Register Server Program Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Register Server Program Connecting to the Internet", + "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json index af9935275267bc..d9bc00cfbd3367 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json @@ -1,17 +1,17 @@ { - "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", - "risk_score": 50, "description": "Windows Registry Query, Local", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Registry Query, Local", + "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", + "risk_score": 50, + "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json index 4926aabcb8f9d9..ddf8ff569e35f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json @@ -1,17 +1,17 @@ { - "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", - "risk_score": 50, "description": "Windows Registry Query, Network", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Registry Query, Network", + "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", + "risk_score": 50, + "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json index d0765ee531bb3b..0e67b777ac6dc5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", - "risk_score": 50, "description": "Windows Remote Management Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Remote Management Execution", + "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", + "risk_score": 50, + "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json index e84d6912793bd1..58fd2df8f15ef1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", - "risk_score": 50, "description": "Windows Scheduled Task Activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Scheduled Task Activity", + "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", + "risk_score": 50, + "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json index 373d5aa86e6a63..41559425538ab2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json @@ -1,17 +1,17 @@ { - "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", - "risk_score": 50, "description": "Windows: Script Interpreter Connecting to the Internet", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows: Script Interpreter Connecting to the Internet", + "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", + "risk_score": 50, + "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index a05d37126be3e2..64185c784e0282 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -1,17 +1,17 @@ { - "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", - "risk_score": 50, "description": "Windows Signed Binary Proxy Execution", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Signed Binary Proxy Execution", + "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", + "risk_score": 50, + "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json index 931a1f170e5bd1..b1146f07612f67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json @@ -1,17 +1,17 @@ { - "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", - "risk_score": 50, "description": "Windows Signed Binary Proxy Execution Download", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Signed Binary Proxy Execution Download", + "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", + "risk_score": 50, + "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json new file mode 100644 index 00000000000000..c5a7db434ac386 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -0,0 +1,16 @@ +{ + "description": "Suspicious process started by a script", + "enabled": false, + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "Suspicious process started by a script", + "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1", + "risk_score": 50, + "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index e4acdcee249bf2..b13a20518893cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,43 +1,16 @@ { - "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "risk_score": 50, "description": "Windows whoami command activity", + "enabled": false, + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows whoami command activity", + "query": "process.name:whoami.exe and event.code:1", + "risk_score": 50, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:whoami.exe", - "language": "kuery", - "filters": [ - { - "meta": { - "negate": false, - "type": "phrase", - "key": "event.action", - "value": "Process Create (rule: ProcessCreate)", - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "disabled": false, - "alias": null, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - }, - "$state": { - "store": "appState" - } - } - ], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json new file mode 100644 index 00000000000000..8fc548b694b02b --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json @@ -0,0 +1,17 @@ +{ + "description": "WinDump activity", + "enabled": false, + "filters": [], + "from": "now-6m", + "immutable": true, + "interval": "5m", + "language": "kuery", + "name": "WinDump activity", + "query": "process.name:WinDump.exe", + "risk_score": 50, + "rule_id": "a342cfcb-8420-46a4-8d85-53edc631e0d6", + "severity": "low", + "to": "now", + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json index 75dfa58e33318f..30ee18fe53557b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", - "risk_score": 50, "description": "Windows Wireshark activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Windows Wireshark activity", + "query": "process.name:wireshark.exe", + "risk_score": 50, + "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:wireshark.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json index db42e194fcf9f7..7b40fc208ecd57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json @@ -1,17 +1,17 @@ { - "rule_id": "61c56cf4-0c08-4ad5-83ea-d2fe6ac62fa8", - "risk_score": 50, "description": "WinDump activity", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "WinDump activity", + "query": "process.name:WinDump.exe", + "risk_score": 50, + "rule_id": "61c56cf4-0c08-4ad5-83ea-d2fe6ac62fa8", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "process.name:WinDump.exe", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json index 32d722ce42bab6..87549a455c1d3e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json @@ -1,17 +1,17 @@ { - "rule_id": "c115a407-799b-45d6-962e-a639bb764c06", - "risk_score": 50, "description": "Detected Zeek capture loss exceeds the percentage threshold", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice CaptureLoss::Too_Much_Loss", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"CaptureLoss::Too_Much_Loss\" or rule.name: \"CaptureLoss::Too_Much_Loss\")", + "risk_score": 50, + "rule_id": "c115a407-799b-45d6-962e-a639bb764c06", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"CaptureLoss::Too_Much_Loss\" or rule.name: \"CaptureLoss::Too_Much_Loss\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json index a707c4647b1ea8..69a82f9840a931 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json @@ -1,17 +1,17 @@ { - "rule_id": "22d12b64-33f4-40ce-ad57-49dd870bc8e5", - "risk_score": 50, "description": "Data has sequence hole; perhaps due to filtering.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Conn::Content_Gap", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Content_Gap\" or rule.name: \"Conn::Content_Gap\")", + "risk_score": 50, + "rule_id": "22d12b64-33f4-40ce-ad57-49dd870bc8e5", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Content_Gap\" or rule.name: \"Conn::Content_Gap\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json index 06f413ce93787e..c5ba4eb8082aaf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json @@ -1,17 +1,17 @@ { - "rule_id": "53719624-55f0-4541-8370-f27f6766fb9e", - "risk_score": 50, "description": "Possible evasion; usually just chud.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Conn::Retransmission_Inconsistency", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Retransmission_Inconsistency\" or rule.name: \"Conn::Retransmission_Inconsistency\")", + "risk_score": 50, + "rule_id": "53719624-55f0-4541-8370-f27f6766fb9e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Retransmission_Inconsistency\" or rule.name: \"Conn::Retransmission_Inconsistency\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json index a664b1314fb36a..cb5db1529aa0ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json @@ -1,17 +1,17 @@ { - "rule_id": "39c40c5a-110c-45b1-876f-969212e8814b", - "risk_score": 50, "description": "Raised when a non-local name is found to be pointing at a local host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice DNS::External_Name", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"DNS::External_Name\" or rule.name: \"DNS::External_Name\")", + "risk_score": 50, + "rule_id": "39c40c5a-110c-45b1-876f-969212e8814b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"DNS::External_Name\" or rule.name: \"DNS::External_Name\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json index 73c78ee4354e23..43bc1f05a2212f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json @@ -1,17 +1,17 @@ { - "rule_id": "7e069475-817e-4e89-9245-1dfaa3083b11", - "risk_score": 50, "description": "Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice FTP::Bruteforcing", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Bruteforcing\" or rule.name: \"FTP::Bruteforcing\")", + "risk_score": 50, + "rule_id": "7e069475-817e-4e89-9245-1dfaa3083b11", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Bruteforcing\" or rule.name: \"FTP::Bruteforcing\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json index 69e2087c8800e5..63b8b847563b57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json @@ -1,17 +1,17 @@ { - "rule_id": "4b9cb3e9-e26a-4bd2-bd1f-8d451b49838f", - "risk_score": 50, "description": "Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice FTP::Site_Exec_Success", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Site_Exec_Success\" or rule.name: \"FTP::Site_Exec_Success\")", + "risk_score": 50, + "rule_id": "4b9cb3e9-e26a-4bd2-bd1f-8d451b49838f", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Site_Exec_Success\" or rule.name: \"FTP::Site_Exec_Success\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json index b14eabc3352b0e..adc8878f6986aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json @@ -1,17 +1,17 @@ { - "rule_id": "68a33102-3680-4581-a48a-210b23925905", - "risk_score": 50, "description": "Indicates that a host performed a heartbleed attack or scan.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack\")", + "risk_score": 50, + "rule_id": "68a33102-3680-4581-a48a-210b23925905", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json index 160f2728cdd507..3f03e5483cc315 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json @@ -1,17 +1,17 @@ { - "rule_id": "241a61ae-b385-4f36-96c4-b2fb5446cc43", - "risk_score": 50, "description": "Indicates that a host performing a heartbleed attack was probably successful.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack_Success", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack_Success\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack_Success\")", + "risk_score": 50, + "rule_id": "241a61ae-b385-4f36-96c4-b2fb5446cc43", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack_Success\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack_Success\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json index cfee3959893766..2902c4a4b8e5fe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json @@ -1,17 +1,17 @@ { - "rule_id": "59d6a32c-753e-4c19-bb77-1befdc6e0e6a", - "risk_score": 50, "description": "Indicates we saw many heartbeat requests without a reply. Might be an attack.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Many_Requests", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Many_Requests\" or rule.name: \"Heartbleed::SSL_Heartbeat_Many_Requests\")", + "risk_score": 50, + "rule_id": "59d6a32c-753e-4c19-bb77-1befdc6e0e6a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Many_Requests\" or rule.name: \"Heartbleed::SSL_Heartbeat_Many_Requests\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json index a6456e63a3ec00..871999b842609a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json @@ -1,17 +1,17 @@ { - "rule_id": "0c6e7be4-6cab-4ee1-ad51-7c1ffd0e9002", - "risk_score": 50, "description": "Indicates we saw heartbeat requests with odd length. Probably an attack or scan.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Odd_Length", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Odd_Length\" or rule.name: \"Heartbleed::SSL_Heartbeat_Odd_Length\")", + "risk_score": 50, + "rule_id": "0c6e7be4-6cab-4ee1-ad51-7c1ffd0e9002", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Odd_Length\" or rule.name: \"Heartbleed::SSL_Heartbeat_Odd_Length\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json index 517a03834d57e2..fe6bcb8a881003 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json @@ -1,17 +1,17 @@ { - "rule_id": "4ca9ef93-7e7e-40a4-8d71-9130204d86e6", - "risk_score": 50, "description": "Indicates that a host performing SQL injection attacks was detected.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice HTTP::SQL_Injection_Attacker", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Attacker\" or rule.name: \"HTTP::SQL_Injection_Attacker\")", + "risk_score": 50, + "rule_id": "4ca9ef93-7e7e-40a4-8d71-9130204d86e6", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Attacker\" or rule.name: \"HTTP::SQL_Injection_Attacker\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json index b00e49c89e402c..ed1f5bbaa13b2a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json @@ -1,17 +1,17 @@ { - "rule_id": "dda43d7f-69bc-487f-b05c-2b518e9db622", - "risk_score": 50, "description": "Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice HTTP::SQL_Injection_Victim", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Victim\" or rule.name: \"HTTP::SQL_Injection_Victim\")", + "risk_score": 50, + "rule_id": "dda43d7f-69bc-487f-b05c-2b518e9db622", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Victim\" or rule.name: \"HTTP::SQL_Injection_Victim\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json index 27cfe2036744ec..615f3b48276567 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json @@ -1,17 +1,17 @@ { - "rule_id": "122e153a-78f3-4e7e-a5b5-cfe0b917f109", - "risk_score": 50, "description": "This notice is generated when an intelligence indicator is denoted to be notice-worthy.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Intel::Notice", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Intel::Notice\" or rule.name: \"Intel::Notice\")", + "risk_score": 50, + "rule_id": "122e153a-78f3-4e7e-a5b5-cfe0b917f109", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Intel::Notice\" or rule.name: \"Intel::Notice\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json index 16e22585d6e13f..cbe9fd654c4f80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json @@ -1,17 +1,17 @@ { - "rule_id": "7581fd81-25e8-489e-bcf3-69db068b7a6c", - "risk_score": 50, "description": "Zeek notice reporting a count of how often a notice occurred.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Notice::Tally", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Notice::Tally\" or rule.name: \"Notice::Tally\")", + "risk_score": 50, + "rule_id": "7581fd81-25e8-489e-bcf3-69db068b7a6c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Notice::Tally\" or rule.name: \"Notice::Tally\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json index 3e8704dee917a8..2d35d42eb07a1d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json @@ -1,17 +1,17 @@ { - "rule_id": "0031d83e-1fb4-4dd6-b938-97ae7044b051", - "risk_score": 50, "description": "Limitations in BPF make shunting some connections with BPF impossible. This notice encompasses those various cases.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Cannot_BPF_Shunt_Conn", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Cannot_BPF_Shunt_Conn\" or rule.name: \"PacketFilter::Cannot_BPF_Shunt_Conn\")", + "risk_score": 50, + "rule_id": "0031d83e-1fb4-4dd6-b938-97ae7044b051", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Cannot_BPF_Shunt_Conn\" or rule.name: \"PacketFilter::Cannot_BPF_Shunt_Conn\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json index 63567a6ebbd90d..4013b77fe6e4ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json @@ -1,17 +1,17 @@ { - "rule_id": "335b2ddc-f806-46e8-8ffa-114d613aac92", - "risk_score": 50, "description": "This notice is generated if a packet filter cannot be compiled.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Compile_Failure", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Compile_Failure\" or rule.name: \"PacketFilter::Compile_Failure\")", + "risk_score": 50, + "rule_id": "335b2ddc-f806-46e8-8ffa-114d613aac92", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Compile_Failure\" or rule.name: \"PacketFilter::Compile_Failure\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json index 78b664f573b6bb..21229e4055f480 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json @@ -1,17 +1,17 @@ { - "rule_id": "4f212278-329b-4088-ae59-9091003dff22", - "risk_score": 50, "description": "Indicates packets were dropped by the packet filter.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Dropped_Packets", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Dropped_Packets\" or rule.name: \"PacketFilter::Dropped_Packets\")", + "risk_score": 50, + "rule_id": "4f212278-329b-4088-ae59-9091003dff22", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Dropped_Packets\" or rule.name: \"PacketFilter::Dropped_Packets\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json index 7fec89f251e80f..6f6ff30f99b570 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json @@ -1,17 +1,17 @@ { - "rule_id": "235988ec-d037-4f5f-a211-74106512b36d", - "risk_score": 50, "description": "Generated if a packet filter fails to install.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Install_Failure", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Install_Failure\" or rule.name: \"PacketFilter::Install_Failure\")", + "risk_score": 50, + "rule_id": "235988ec-d037-4f5f-a211-74106512b36d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Install_Failure\" or rule.name: \"PacketFilter::Install_Failure\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json index 176c4373e8e961..0785959078bb71 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json @@ -1,17 +1,17 @@ { - "rule_id": "de4016de-3374-41a0-a678-21d36c70af9a", - "risk_score": 50, "description": "Indicative that PacketFilter::max_bpf_shunts connections are already being shunted with BPF filters and no more are allowed.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::No_More_Conn_Shunts_Available", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::No_More_Conn_Shunts_Available\" or rule.name: \"PacketFilter::No_More_Conn_Shunts_Available\")", + "risk_score": 50, + "rule_id": "de4016de-3374-41a0-a678-21d36c70af9a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::No_More_Conn_Shunts_Available\" or rule.name: \"PacketFilter::No_More_Conn_Shunts_Available\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json index 6077e494779e39..e8dbcaaeec43e0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json @@ -1,17 +1,17 @@ { - "rule_id": "71e93c42-7990-4233-a8a5-2631193df7db", - "risk_score": 50, "description": "Generated when a notice takes too long to compile.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice PacketFilter::Too_Long_To_Compile_Filter", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Too_Long_To_Compile_Filter\" or rule.name: \"PacketFilter::Too_Long_To_Compile_Filter\")", + "risk_score": 50, + "rule_id": "71e93c42-7990-4233-a8a5-2631193df7db", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Too_Long_To_Compile_Filter\" or rule.name: \"PacketFilter::Too_Long_To_Compile_Filter\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json index 2375fce0cf2b10..0caf01e3823c9b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json @@ -1,17 +1,17 @@ { - "rule_id": "777586b6-4757-489e-a6e8-676b7df70b39", - "risk_score": 50, "description": "Indicates a protocol was detected on a non-standard port.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice ProtocolDetector::Protocol_Found", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Protocol_Found\" or rule.name: \"ProtocolDetector::Protocol_Found\")", + "risk_score": 50, + "rule_id": "777586b6-4757-489e-a6e8-676b7df70b39", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Protocol_Found\" or rule.name: \"ProtocolDetector::Protocol_Found\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json index 6fd75bd7591219..196c9dc7241c8c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json @@ -1,17 +1,17 @@ { - "rule_id": "7d7f7635-6900-4f63-b14b-477a909ea90a", - "risk_score": 50, "description": "Indicates a server was detected on a non-standard port for the protocol.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice ProtocolDetector::Server_Found", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Server_Found\" or rule.name: \"ProtocolDetector::Server_Found\")", + "risk_score": 50, + "rule_id": "7d7f7635-6900-4f63-b14b-477a909ea90a", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Server_Found\" or rule.name: \"ProtocolDetector::Server_Found\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json index fe0508f08ab1dd..34c8a126e424c0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json @@ -1,17 +1,17 @@ { - "rule_id": "9d320fca-4ec1-4511-bdbc-7edf9673c07d", - "risk_score": 50, "description": "Address scans detect that a host appears to be scanning some number of destinations on a single port.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Scan::Address_Scan", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Address_Scan\" or rule.name: \"Scan::Address_Scan\")", + "risk_score": 50, + "rule_id": "9d320fca-4ec1-4511-bdbc-7edf9673c07d", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Address_Scan\" or rule.name: \"Scan::Address_Scan\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json index 007e5fd94ae5fc..1334f2c08ad09f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json @@ -1,17 +1,17 @@ { - "rule_id": "d09fbf7a-47a7-4130-8dd7-b386cca81a42", - "risk_score": 50, "description": "Port scans detect that an attacking host appears to be scanning a single victim host on several ports.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Scan::Port_Scan", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Port_Scan\" or rule.name: \"Scan::Port_Scan\")", + "risk_score": 50, + "rule_id": "d09fbf7a-47a7-4130-8dd7-b386cca81a42", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Port_Scan\" or rule.name: \"Scan::Port_Scan\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json index f5b708dce484f3..1dc25388dc688f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json @@ -1,17 +1,17 @@ { - "rule_id": "a704589c-8ba9-4a3c-8e39-ab9360cade17", - "risk_score": 50, "description": "The same signature has triggered multiple times for a host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Count_Signature", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Count_Signature\" or rule.name: \"Signatures::Count_Signature\")", + "risk_score": 50, + "rule_id": "a704589c-8ba9-4a3c-8e39-ab9360cade17", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Count_Signature\" or rule.name: \"Signatures::Count_Signature\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json index 8e8b9ae8793ae9..06cf39c1c3dbdd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json @@ -1,17 +1,17 @@ { - "rule_id": "4f313ae8-cbc6-4082-9599-526f8ccb7303", - "risk_score": 50, "description": "Host has triggered the same signature on multiple hosts.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Multiple_Sig_Responders", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Sig_Responders\" or rule.name: \"Signatures::Multiple_Sig_Responders\")", + "risk_score": 50, + "rule_id": "4f313ae8-cbc6-4082-9599-526f8ccb7303", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Sig_Responders\" or rule.name: \"Signatures::Multiple_Sig_Responders\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json index 0d24f030472c61..350e6dfc30e187 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json @@ -1,17 +1,17 @@ { - "rule_id": "ab90d81c-79e1-4f62-a61e-484c4bedb2b0", - "risk_score": 50, "description": "Host has triggered many signatures on the same host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Multiple_Signatures", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Signatures\" or rule.name: \"Signatures::Multiple_Signatures\")", + "risk_score": 50, + "rule_id": "ab90d81c-79e1-4f62-a61e-484c4bedb2b0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Signatures\" or rule.name: \"Signatures::Multiple_Signatures\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json index 545c6536904937..c1438edf2e4acf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json @@ -1,17 +1,17 @@ { - "rule_id": "ac394dec-67e8-417f-bb06-ae0bd75556b0", - "risk_score": 50, "description": "Generic notice type for notice-worthy signature matches.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Sensitive_Signature", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Sensitive_Signature\" or rule.name: \"Signatures::Sensitive_Signature\")", + "risk_score": 50, + "rule_id": "ac394dec-67e8-417f-bb06-ae0bd75556b0", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Sensitive_Signature\" or rule.name: \"Signatures::Sensitive_Signature\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json index 76fb44b6bd24a8..7fd878ceb6c7f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json @@ -1,17 +1,17 @@ { - "rule_id": "d17fe857-eb67-4843-ab63-bf4852e49396", - "risk_score": 50, "description": "Summarize the number of times a host triggered a signature.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Signatures::Signature_Summary", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Signature_Summary\" or rule.name: \"Signatures::Signature_Summary\")", + "risk_score": 50, + "rule_id": "d17fe857-eb67-4843-ab63-bf4852e49396", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Signature_Summary\" or rule.name: \"Signatures::Signature_Summary\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json index b1b52dc6c08f2e..1e2579dfd1b4ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json @@ -1,17 +1,17 @@ { - "rule_id": "402d5f78-82cd-4320-8b69-3185e44daf07", - "risk_score": 50, "description": "The originator’s address is seen in the block list error message. This is useful to detect local hosts sending SPAM with a high positive rate.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SMTP::Blocklist_Blocked_Host", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Blocked_Host\" or rule.name: \"SMTP::Blocklist_Blocked_Host\")", + "risk_score": 50, + "rule_id": "402d5f78-82cd-4320-8b69-3185e44daf07", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Blocked_Host\" or rule.name: \"SMTP::Blocklist_Blocked_Host\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json index 69adf95592dd72..ae4794bd5481f4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json @@ -1,17 +1,17 @@ { - "rule_id": "b9bb4a93-8c5c-4942-9193-e2dc97230034", - "risk_score": 50, "description": "An SMTP server sent a reply mentioning an SMTP block list.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SMTP::Blocklist_Error_Message", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Error_Message\" or rule.name: \"SMTP::Blocklist_Error_Message\")", + "risk_score": 50, + "rule_id": "b9bb4a93-8c5c-4942-9193-e2dc97230034", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Error_Message\" or rule.name: \"SMTP::Blocklist_Error_Message\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json index 2414a8a7669a47..ed871f4aa68986 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json @@ -1,17 +1,17 @@ { - "rule_id": "cc6e9fef-d936-4faf-8936-e576c089d8b2", - "risk_score": 50, "description": "SMTP message orignated from country or network configured to be suspicious.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SMTP::Suspicious_Origination", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Suspicious_Origination\" or rule.name: \"SMTP::Suspicious_Origination\")", + "risk_score": 50, + "rule_id": "cc6e9fef-d936-4faf-8936-e576c089d8b2", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Suspicious_Origination\" or rule.name: \"SMTP::Suspicious_Origination\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json index 87f1472a0420db..5a5cd3f48245f9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json @@ -1,17 +1,17 @@ { - "rule_id": "ea1d2c1b-ecfe-42a5-bd0b-56c7a1bd8075", - "risk_score": 50, "description": "Indicates that an interesting software application changed versions on a host.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Software::Software_Version_Change", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Software_Version_Change\" or rule.name: \"Software::Software_Version_Change\")", + "risk_score": 50, + "rule_id": "ea1d2c1b-ecfe-42a5-bd0b-56c7a1bd8075", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Software_Version_Change\" or rule.name: \"Software::Software_Version_Change\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json index 24b803e654fcf5..8addd5ed395624 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json @@ -1,17 +1,17 @@ { - "rule_id": "97b4d80c-7671-4301-85a6-954aa0ba96ce", - "risk_score": 50, "description": "Indicates that a vulnerable version of software was detected.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Software::Vulnerable_Version", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Vulnerable_Version\" or rule.name: \"Software::Vulnerable_Version\")", + "risk_score": 50, + "rule_id": "97b4d80c-7671-4301-85a6-954aa0ba96ce", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Vulnerable_Version\" or rule.name: \"Software::Vulnerable_Version\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json index 70e20f85d9b49d..f69ab099bf6d98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json @@ -1,17 +1,17 @@ { - "rule_id": "6a7f2b0a-3f24-4d58-aa84-243f1f0556d9", - "risk_score": 50, "description": "Generated if a login originates or responds with a host where the reverse hostname lookup resolves to a name matched by the SSH::interesting_hostnames regular expression.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Interesting_Hostname_Login", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Interesting_Hostname_Login\" or rule.name: \"SSH::Interesting_Hostname_Login\")", + "risk_score": 50, + "rule_id": "6a7f2b0a-3f24-4d58-aa84-243f1f0556d9", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Interesting_Hostname_Login\" or rule.name: \"SSH::Interesting_Hostname_Login\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json index 7d9402f7a1ec49..3b12aae2f4dd8a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json @@ -1,17 +1,17 @@ { - "rule_id": "5600ad95-2244-43db-8a7d-77eea95f80db", - "risk_score": 50, "description": "Indicates that a host previously identified as a \"password guesser\" has now had a successful login attempt.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Login_By_Password_Guesser", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Login_By_Password_Guesser\" or rule.name: \"SSH::Login_By_Password_Guesser\")", + "risk_score": 50, + "rule_id": "5600ad95-2244-43db-8a7d-77eea95f80db", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Login_By_Password_Guesser\" or rule.name: \"SSH::Login_By_Password_Guesser\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json index 00c346bc0ecc7f..4fd7e8ec15ed70 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json @@ -1,17 +1,17 @@ { - "rule_id": "e278142a-4ee7-4443-9b1f-421174b0dabf", - "risk_score": 50, "description": "Indicates that a host has been identified as crossing the SSH::password_guesses_limit threshold with failed logins.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Password_Guessing", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Password_Guessing\" or rule.name: \"SSH::Password_Guessing\")", + "risk_score": 50, + "rule_id": "e278142a-4ee7-4443-9b1f-421174b0dabf", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Password_Guessing\" or rule.name: \"SSH::Password_Guessing\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json index 943f56b7c93684..ecd57510441ae0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json @@ -1,17 +1,17 @@ { - "rule_id": "983f4b7e-38cd-4d7f-8be6-40447431561e", - "risk_score": 50, "description": "SSH login was seen to or from a \"watched\" country based on the SSH::watched_countries variable", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSH::Watched_Country_Login", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Watched_Country_Login\" or rule.name: \"SSH::Watched_Country_Login\")", + "risk_score": 50, + "rule_id": "983f4b7e-38cd-4d7f-8be6-40447431561e", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Watched_Country_Login\" or rule.name: \"SSH::Watched_Country_Login\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json index 030b56cc577827..0309896ed31eea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json @@ -1,17 +1,17 @@ { - "rule_id": "3981f48e-49a5-4a3e-9b44-900a0887526c", - "risk_score": 50, "description": "Indicates that a certificate’s NotValidAfter date has lapsed and the certificate is now invalid.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Certificate_Expired", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expired\" or rule.name: \"SSL::Certificate_Expired\")", + "risk_score": 50, + "rule_id": "3981f48e-49a5-4a3e-9b44-900a0887526c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expired\" or rule.name: \"SSL::Certificate_Expired\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json index 702724abcfa643..8f76bdab1a7ea3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json @@ -1,17 +1,17 @@ { - "rule_id": "e8207172-3478-4b2c-85b7-6f13d97fff43", - "risk_score": 50, "description": "Indicates that a certificate is going to expire within SSL::notify_when_cert_expiring_in.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Certificate_Expires_Soon", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expires_Soon\" or rule.name: \"SSL::Certificate_Expires_Soon\")", + "risk_score": 50, + "rule_id": "e8207172-3478-4b2c-85b7-6f13d97fff43", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expires_Soon\" or rule.name: \"SSL::Certificate_Expires_Soon\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json index 258fb0cf78b604..785ba45744022c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json @@ -1,17 +1,17 @@ { - "rule_id": "45586490-99f6-4e11-8228-2229d727a3b4", - "risk_score": 50, "description": "Indicates that a certificate’s NotValidBefore date is future dated.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Certificate_Not_Valid_Yet", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Not_Valid_Yet\" or rule.name: \"SSL::Certificate_Not_Valid_Yet\")", + "risk_score": 50, + "rule_id": "45586490-99f6-4e11-8228-2229d727a3b4", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Not_Valid_Yet\" or rule.name: \"SSL::Certificate_Not_Valid_Yet\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json index 43c4b46e36c076..3704a1be0cd269 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json @@ -1,17 +1,17 @@ { - "rule_id": "eb17fcbb-de22-4aa0-81aa-1c059bdd4f2b", - "risk_score": 50, "description": "This indicates that the OCSP response was not deemed to be valid.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Invalid_Ocsp_Response", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Ocsp_Response\" or rule.name: \"SSL::Invalid_Ocsp_Response\")", + "risk_score": 50, + "rule_id": "eb17fcbb-de22-4aa0-81aa-1c059bdd4f2b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Ocsp_Response\" or rule.name: \"SSL::Invalid_Ocsp_Response\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json index 8c473f00076241..c068a3ecf0d82c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json @@ -1,17 +1,17 @@ { - "rule_id": "13f51fe0-fc74-4c45-90f3-6fb1cd26ec66", - "risk_score": 50, "description": "This notice indicates that the result of validating the certificate along with its full certificate chain was invalid.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Invalid_Server_Cert", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Server_Cert\" or rule.name: \"SSL::Invalid_Server_Cert\")", + "risk_score": 50, + "rule_id": "13f51fe0-fc74-4c45-90f3-6fb1cd26ec66", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Server_Cert\" or rule.name: \"SSL::Invalid_Server_Cert\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json index ba60fa82a5baea..8d180115eadeac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json @@ -1,17 +1,17 @@ { - "rule_id": "260b680e-c3d6-4c03-90cd-03c86e9f8ec1", - "risk_score": 50, "description": "Indicates that a server is using a potentially unsafe version", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Old_Version", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Old_Version\" or rule.name: \"SSL::Old_Version\")", + "risk_score": 50, + "rule_id": "260b680e-c3d6-4c03-90cd-03c86e9f8ec1", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Old_Version\" or rule.name: \"SSL::Old_Version\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json index 786b42cb8db50d..602445d1463fe3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json @@ -1,17 +1,17 @@ { - "rule_id": "25886074-6ae1-41c0-8546-e8cf55ed1b4b", - "risk_score": 50, "description": "Indicates that a server is using a potentially unsafe cipher", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Weak_Cipher", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Cipher\" or rule.name: \"SSL::Weak_Cipher\")", + "risk_score": 50, + "rule_id": "25886074-6ae1-41c0-8546-e8cf55ed1b4b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Cipher\" or rule.name: \"SSL::Weak_Cipher\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json index 7120cfe5e81ad0..b88752e9b8c945 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json @@ -1,17 +1,17 @@ { - "rule_id": "e020f504-c0e5-4768-8e1f-1e2ec7bac961", - "risk_score": 50, "description": "Indicates that a server is using a potentially unsafe key.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice SSL::Weak_Key", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Key\" or rule.name: \"SSL::Weak_Key\")", + "risk_score": 50, + "rule_id": "e020f504-c0e5-4768-8e1f-1e2ec7bac961", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Key\" or rule.name: \"SSL::Weak_Key\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json index 47817a05ea5707..8a36b974dc4fc6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json @@ -1,17 +1,17 @@ { - "rule_id": "a130a0ba-b083-4630-b0ea-cceb80d7720b", - "risk_score": 50, "description": "The hash value of a file transferred over HTTP matched in the malware hash registry.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice TeamCymruMalwareHashRegistry::Match", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"TeamCymruMalwareHashRegistry::Match\" or rule.name: \"TeamCymruMalwareHashRegistry::Match\")", + "risk_score": 50, + "rule_id": "a130a0ba-b083-4630-b0ea-cceb80d7720b", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"TeamCymruMalwareHashRegistry::Match\" or rule.name: \"TeamCymruMalwareHashRegistry::Match\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json index c676c84347cb55..ec05000118f35d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json @@ -1,17 +1,17 @@ { - "rule_id": "aeefe077-f05d-44a7-b757-272fc51c334c", - "risk_score": 50, "description": "Indicates that a host was seen running traceroutes.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Traceroute::Detected", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Traceroute::Detected\" or rule.name: \"Traceroute::Detected\")", + "risk_score": 50, + "rule_id": "aeefe077-f05d-44a7-b757-272fc51c334c", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Traceroute::Detected\" or rule.name: \"Traceroute::Detected\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json index fc1da9e414cc5c..dcc5dfcf124ca0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json @@ -1,17 +1,17 @@ { - "rule_id": "d5ad39d0-8421-4f79-ad93-8ddbf7f553b3", - "risk_score": 50, "description": "Generic unusual but notice-worthy weird activity.", + "enabled": false, + "filters": [], + "from": "now-6m", "immutable": true, "interval": "5m", + "language": "kuery", "name": "Zeek Notice Weird::Activity", + "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Weird::Activity\" or rule.name: \"Weird::Activity\")", + "risk_score": 50, + "rule_id": "d5ad39d0-8421-4f79-ad93-8ddbf7f553b3", "severity": "low", - "type": "query", - "from": "now-6m", "to": "now", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Weird::Activity\" or rule.name: \"Weird::Activity\")", - "language": "kuery", - "filters": [], - "enabled": false, + "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh new file mode 100755 index 00000000000000..3bcf158703c7d7 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/regen_prepackge_rules_index.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +set -e + +# Regenerates the index.ts that contains all of the rules that are read in from json + +PREPACKAGED_RULES_INDEX=../rules/prepackaged_rules/index.ts + +echo "/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +// Auto generated file from scripts/regen_prepackage_rules_index.sh +// Do not hand edit. Run that script to regenerate package information instead +" > ${PREPACKAGED_RULES_INDEX} + +RULE_NUMBER=1 +for f in ../rules/prepackaged_rules/*.json ; do + echo "import rule${RULE_NUMBER} from './$(basename -- "$f")';" >> ${PREPACKAGED_RULES_INDEX} + RULE_NUMBER=$[$RULE_NUMBER +1] +done + +echo "export const rawRules = [" >> ${PREPACKAGED_RULES_INDEX} + +RULE_NUMBER=1 +for f in ../rules/prepackaged_rules/*.json ; do + echo " rule${RULE_NUMBER}," >> ${PREPACKAGED_RULES_INDEX} + RULE_NUMBER=$[$RULE_NUMBER +1] +done + +echo "];" >> ${PREPACKAGED_RULES_INDEX} \ No newline at end of file