From 1670db4e5feefae6fb6c83fafd9b2a3969fbe4d2 Mon Sep 17 00:00:00 2001 From: The SpaceCake Project Date: Thu, 16 Jan 2020 15:49:26 -0500 Subject: [PATCH] first rule cuts (#54990) * rule cuts first pass at rule cuts, 21 deelted rule files, no adds, no changes. * Update index.ts * index regen Co-authored-by: Elastic Machine --- ...nd_shell_started_by_internet_explorer.json | 68 -- .../command_shell_started_by_powershell.json | 68 -- .../command_shell_started_by_svchost.json | 68 -- ...rk_detect_large_outbound_icmp_packets.json | 17 - ...k_detect_long_dns_txt_record_response.json | 17 - ...s_passing_authentication_in_cleartext.json | 17 - ...windows_child_processes_of_spoolsvexe.json | 17 - ...indows_detect_new_local_admin_account.json | 17 - ...ws_detect_psexec_with_accepteula_flag.json | 17 - ..._cmdexe_to_launch_script_interpreters.json | 17 - .../ece_windows_new_external_device.json | 17 - ...ce_windows_processes_created_by_netsh.json | 17 - ...ece_windows_processes_launching_netsh.json | 17 - ...ece_windows_windows_event_log_cleared.json | 17 - .../rules/prepackaged_rules/index.ts | 672 ++++++++---------- ...va_process_connecting_to_the_internet.json | 118 --- ..._lzop_activity_possible_julianrunnels.json | 17 - .../linux_unusual_shell_activity.json | 93 --- .../powershell_network_connection.json | 68 -- .../process_execution_via_wmi.json | 17 - ...ed_by_acrobat_reader_possible_payload.json | 43 -- ...by_ms_office_program_possible_payload.json | 43 -- .../process_started_by_windows_defender.json | 17 - .../prepackaged_rules/psexec_activity.json | 17 - .../prepackaged_rules/search_windows_10.json | 66 -- .../splunk_child_processes_of_spoolsvexe.json | 17 - ...nk_detect_large_outbound_icmp_packets.json | 17 - ...k_detect_long_dns_txt_record_response.json | 17 - ...splunk_detect_new_local_admin_account.json | 17 - ...nk_detect_psexec_with_accepteula_flag.json | 17 - ..._cmdexe_to_launch_script_interpreters.json | 17 - .../splunk_processes_created_by_netsh.json | 17 - .../splunk_processes_launching_netsh.json | 17 - ...s_passing_authentication_in_cleartext.json | 17 - .../splunk_windows_event_log_cleared.json | 17 - ...uspicious_process_started_by_a_script.json | 43 -- .../prepackaged_rules/windump_activity.json | 17 - 37 files changed, 300 insertions(+), 1492 deletions(-) delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json deleted file mode 100644 index bb9d8c60040f6..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Command shell started by Internet Explorer", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "cmd.exe" - }, - "type": "phrase", - "value": "cmd.exe" - }, - "query": { - "match": { - "process.name": { - "query": "cmd.exe", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Command shell started by Internet Explorer", - "query": "process.parent.name:iexplore.exe", - "risk_score": 50, - "rule_id": "a0b554d2-85ed-4998-ada3-4ca58b508b35", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json deleted file mode 100644 index d9820f90c55ee..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Command shell started by Powershell", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "cmd.exe" - }, - "type": "phrase", - "value": "cmd.exe" - }, - "query": { - "match": { - "process.name": { - "query": "cmd.exe", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Command shell started by Powershell", - "query": "process.parent.name:powershell.exe", - "risk_score": 50, - "rule_id": "ab4bbfa5-4127-40bf-852f-bdc6afdb2a06", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json deleted file mode 100644 index a11f69fc3048f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Command shell started by Svchost", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "cmd.exe" - }, - "type": "phrase", - "value": "cmd.exe" - }, - "query": { - "match": { - "process.name": { - "query": "cmd.exe", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Command shell started by Svchost", - "query": "process.parent.name:svchost.exe", - "risk_score": 50, - "rule_id": "2e4f8a5e-ce68-44e0-9243-1f57d44c4f30", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json deleted file mode 100644 index faa1c97e4bada..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Detect Large Outbound ICMP Packets", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Detect Large Outbound ICMP Packets", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "4fce2a7e-0e11-4f17-bae3-8873c5ae62be", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json deleted file mode 100644 index f034e4999107f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Detect Long DNS TXT Record Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Detect Long DNS TXT Record Response", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "risk_score": 50, - "rule_id": "cc28f445-318e-4850-8b0d-5ad53eaded74", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json deleted file mode 100644 index d1b5f6be75040..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Network - Protocols passing authentication in cleartext", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Network - Protocols passing authentication in cleartext", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "risk_score": 50, - "rule_id": "31f32b3c-415a-4a18-b60f-5748a337246b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json deleted file mode 100644 index 60d5ffe918585..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Child Processes of Spoolsv.exe", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Child Processes of Spoolsv.exe", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "risk_score": 50, - "rule_id": "dcc45d35-f42e-4f97-81e8-90b0597ea0d1", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json deleted file mode 100644 index ca27234b0d8ae..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect New Local Admin account", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect New Local Admin account", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "risk_score": 50, - "rule_id": "461db51b-b1a1-49de-ac63-e1bcbd445602", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json deleted file mode 100644 index 25dcd8234e092..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect PsExec With accepteula Flag", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect PsExec With accepteula Flag", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "risk_score": 50, - "rule_id": "304b0e0c-bd06-46f8-aeda-2e719ae434d1", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json deleted file mode 100644 index 70d06ca9a4777..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Detect Use of cmd.exe to Launch Script Interpreters", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "risk_score": 50, - "rule_id": "b17c215e-8fa5-4087-b8d1-87761a90d710", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json deleted file mode 100644 index 9dbc8d7cbb7ed..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - New External Device Attached", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - New External Device Attached", - "query": "event.code:6416", - "risk_score": 50, - "rule_id": "c0747553-5763-5d85-cd97-898f2daa2bde", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json deleted file mode 100644 index 3f4e1a6243a96..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Processes created by netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Processes created by netsh", - "query": "process.parent.name:netsh.exe", - "risk_score": 50, - "rule_id": "e312dd9e-4760-4a71-a241-9b9a835a51c4", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json deleted file mode 100644 index 34d08d7596e11..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Processes launching netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Processes launching netsh", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "risk_score": 50, - "rule_id": "3b8db8aa-5734-405e-8dda-703129078a35", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json deleted file mode 100644 index bd82247203f00..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Windows - Windows Event Log Cleared", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Windows - Windows Event Log Cleared", - "query": "event.code:(1102 or 1100)", - "risk_score": 50, - "rule_id": "b94b5177-ca7f-468a-9a1d-aef39c30a3ae", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 8a353e4b2b301..6ef81addd846e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -10,342 +10,306 @@ import rule1 from './403_response_to_a_post.json'; import rule2 from './405_response_method_not_allowed.json'; import rule3 from './500_response_on_admin_page.json'; -import rule4 from './command_shell_started_by_internet_explorer.json'; -import rule5 from './command_shell_started_by_powershell.json'; -import rule6 from './command_shell_started_by_svchost.json'; -import rule7 from './ece_network_detect_large_outbound_icmp_packets.json'; -import rule8 from './ece_network_detect_long_dns_txt_record_response.json'; -import rule9 from './ece_network_protocols_passing_authentication_in_cleartext.json'; -import rule10 from './ece_windows_child_processes_of_spoolsvexe.json'; -import rule11 from './ece_windows_detect_new_local_admin_account.json'; -import rule12 from './ece_windows_detect_psexec_with_accepteula_flag.json'; -import rule13 from './ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json'; -import rule14 from './ece_windows_new_external_device.json'; -import rule15 from './ece_windows_processes_created_by_netsh.json'; -import rule16 from './ece_windows_processes_launching_netsh.json'; -import rule17 from './ece_windows_windows_event_log_cleared.json'; -import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule19 from './eql_adobe_hijack_persistence.json'; -import rule20 from './eql_audio_capture_via_powershell.json'; -import rule21 from './eql_audio_capture_via_soundrecorder.json'; -import rule22 from './eql_bypass_uac_event_viewer.json'; -import rule23 from './eql_bypass_uac_via_cmstp.json'; -import rule24 from './eql_bypass_uac_via_sdclt.json'; -import rule25 from './eql_clearing_windows_event_logs.json'; -import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json'; -import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json'; -import rule28 from './eql_direct_outbound_smb_connection.json'; -import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json'; -import rule30 from './eql_dll_search_order_hijack.json'; -import rule31 from './eql_encoding_or_decoding_files_via_certutil.json'; -import rule32 from './eql_local_scheduled_task_commands.json'; -import rule33 from './eql_local_service_commands.json'; -import rule34 from './eql_modification_of_boot_configuration.json'; -import rule35 from './eql_msbuild_making_network_connections.json'; -import rule36 from './eql_mshta_making_network_connections.json'; -import rule37 from './eql_msxsl_making_network_connections.json'; -import rule38 from './eql_psexec_lateral_movement_command.json'; -import rule39 from './eql_suspicious_ms_office_child_process.json'; -import rule40 from './eql_suspicious_ms_outlook_child_process.json'; -import rule41 from './eql_suspicious_pdf_reader_child_process.json'; -import rule42 from './eql_system_shells_via_services.json'; -import rule43 from './eql_unusual_network_connection_via_rundll32.json'; -import rule44 from './eql_unusual_parentchild_relationship.json'; -import rule45 from './eql_unusual_process_network_connection.json'; -import rule46 from './eql_user_account_creation.json'; -import rule47 from './eql_user_added_to_administrator_group.json'; -import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json'; -import rule50 from './eql_windows_script_executing_powershell.json'; -import rule51 from './eql_wmic_command_lateral_movement.json'; -import rule52 from './linux_hping_activity.json'; -import rule53 from './linux_iodine_activity.json'; -import rule54 from './linux_java_process_connecting_to_the_internet.json'; -import rule55 from './linux_kernel_module_activity.json'; -import rule56 from './linux_ldso_process_activity.json'; -import rule57 from './linux_lzop_activity.json'; -import rule58 from './linux_lzop_activity_possible_julianrunnels.json'; -import rule59 from './linux_mknod_activity.json'; -import rule60 from './linux_netcat_network_connection.json'; -import rule61 from './linux_network_anomalous_process_using_https_ports.json'; -import rule62 from './linux_nmap_activity.json'; -import rule63 from './linux_nping_activity.json'; -import rule64 from './linux_process_started_in_temp_directory.json'; -import rule65 from './linux_ptrace_activity.json'; -import rule66 from './linux_rawshark_activity.json'; -import rule67 from './linux_shell_activity_by_web_server.json'; -import rule68 from './linux_socat_activity.json'; -import rule69 from './linux_ssh_forwarding.json'; -import rule70 from './linux_strace_activity.json'; -import rule71 from './linux_tcpdump_activity.json'; -import rule72 from './linux_unusual_shell_activity.json'; -import rule73 from './linux_web_download.json'; -import rule74 from './linux_whoami_commmand.json'; -import rule75 from './network_dns_directly_to_the_internet.json'; -import rule76 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule77 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule78 from './network_nat_traversal_port_activity.json'; -import rule79 from './network_port_26_activity.json'; -import rule80 from './network_port_8000_activity.json'; -import rule81 from './network_port_8000_activity_to_the_internet.json'; -import rule82 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule83 from './network_proxy_port_activity_to_the_internet.json'; -import rule84 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule85 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule86 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule87 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule88 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule89 from './network_smtp_to_the_internet.json'; -import rule90 from './network_sql_server_port_activity_to_the_internet.json'; -import rule91 from './network_ssh_secure_shell_from_the_internet.json'; -import rule92 from './network_ssh_secure_shell_to_the_internet.json'; -import rule93 from './network_telnet_port_activity.json'; -import rule94 from './network_tor_activity_to_the_internet.json'; -import rule95 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule96 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule97 from './null_user_agent.json'; -import rule98 from './powershell_network_connection.json'; -import rule99 from './process_execution_via_wmi.json'; -import rule100 from './process_started_by_acrobat_reader_possible_payload.json'; -import rule101 from './process_started_by_ms_office_program_possible_payload.json'; -import rule102 from './process_started_by_windows_defender.json'; -import rule103 from './psexec_activity.json'; -import rule104 from './search_windows_10.json'; -import rule105 from './splunk_child_processes_of_spoolsvexe.json'; -import rule106 from './splunk_detect_large_outbound_icmp_packets.json'; -import rule107 from './splunk_detect_long_dns_txt_record_response.json'; -import rule108 from './splunk_detect_new_local_admin_account.json'; -import rule109 from './splunk_detect_psexec_with_accepteula_flag.json'; -import rule110 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json'; -import rule111 from './splunk_processes_created_by_netsh.json'; -import rule112 from './splunk_processes_launching_netsh.json'; -import rule113 from './splunk_protocols_passing_authentication_in_cleartext.json'; -import rule114 from './splunk_windows_event_log_cleared.json'; -import rule115 from './sqlmap_user_agent.json'; -import rule116 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; -import rule117 from './suricata_base64_encoded_newobject_powershell_execution.json'; -import rule118 from './suricata_base64_encoded_startprocess_powershell_execution.json'; -import rule119 from './suricata_category_a_suspicious_string_was_detected.json'; -import rule120 from './suricata_category_attempted_administrator_privilege_gain.json'; -import rule121 from './suricata_category_attempted_denial_of_service.json'; -import rule122 from './suricata_category_attempted_information_leak.json'; -import rule123 from './suricata_category_attempted_login_with_suspicious_username.json'; -import rule124 from './suricata_category_attempted_user_privilege_gain.json'; -import rule125 from './suricata_category_client_using_unusual_port.json'; -import rule126 from './suricata_category_crypto_currency_mining_activity.json'; -import rule127 from './suricata_category_decode_of_an_rpc_query.json'; -import rule128 from './suricata_category_default_username_and_password_login_attempt.json'; -import rule129 from './suricata_category_denial_of_service.json'; -import rule130 from './suricata_category_denial_of_service_attack.json'; -import rule131 from './suricata_category_executable_code_was_detected.json'; -import rule132 from './suricata_category_exploit_kit_activity.json'; -import rule133 from './suricata_category_external_ip_address_retrieval.json'; -import rule134 from './suricata_category_generic_icmp_event.json'; -import rule135 from './suricata_category_generic_protocol_command_decode.json'; -import rule136 from './suricata_category_information_leak.json'; -import rule137 from './suricata_category_large_scale_information_leak.json'; -import rule138 from './suricata_category_malware_command_and_control_activity.json'; -import rule139 from './suricata_category_misc_activity.json'; -import rule140 from './suricata_category_misc_attack.json'; -import rule141 from './suricata_category_network_scan_detected.json'; -import rule142 from './suricata_category_network_trojan_detected.json'; -import rule143 from './suricata_category_nonstandard_protocol_or_event.json'; -import rule144 from './suricata_category_not_suspicious_traffic.json'; -import rule145 from './suricata_category_observed_c2_domain.json'; -import rule146 from './suricata_category_possible_social_engineering_attempted.json'; -import rule147 from './suricata_category_possibly_unwanted_program.json'; -import rule148 from './suricata_category_potential_corporate_privacy_violation.json'; -import rule149 from './suricata_category_potentially_bad_traffic.json'; -import rule150 from './suricata_category_potentially_vulnerable_web_application_access.json'; -import rule151 from './suricata_category_successful_administrator_privilege_gain.json'; -import rule152 from './suricata_category_successful_credential_theft.json'; -import rule153 from './suricata_category_successful_user_privilege_gain.json'; -import rule154 from './suricata_category_suspicious_filename_detected.json'; -import rule155 from './suricata_category_system_call_detected.json'; -import rule156 from './suricata_category_targeted_malicious_activity.json'; -import rule157 from './suricata_category_tcp_connection_detected.json'; -import rule158 from './suricata_category_unknown_traffic.json'; -import rule159 from './suricata_category_unsuccessful_user_privilege_gain.json'; -import rule160 from './suricata_category_web_application_attack.json'; -import rule161 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; -import rule162 from './suricata_commonly_abused_dns_domain_detected.json'; -import rule163 from './suricata_directory_reversal_characters_in_an_http_request.json'; -import rule164 from './suricata_directory_traversal_characters_in_an_http_request.json'; -import rule165 from './suricata_directory_traversal_characters_in_http_response.json'; -import rule166 from './suricata_directory_traversal_in_downloaded_zip_file.json'; -import rule167 from './suricata_dns_traffic_on_unusual_tcp_port.json'; -import rule168 from './suricata_dns_traffic_on_unusual_udp_port.json'; -import rule169 from './suricata_double_encoded_characters_in_a_uri.json'; -import rule170 from './suricata_double_encoded_characters_in_an_http_post.json'; -import rule171 from './suricata_double_encoded_characters_in_http_request.json'; -import rule172 from './suricata_eval_php_function_in_an_http_request.json'; -import rule173 from './suricata_exploit_cve_2018_1000861.json'; -import rule174 from './suricata_exploit_cve_2019_0227.json'; -import rule175 from './suricata_exploit_cve_2019_0232.json'; -import rule176 from './suricata_exploit_cve_2019_0604.json'; -import rule177 from './suricata_exploit_cve_2019_0708.json'; -import rule178 from './suricata_exploit_cve_2019_0752.json'; -import rule179 from './suricata_exploit_cve_2019_1003000.json'; -import rule180 from './suricata_exploit_cve_2019_10149.json'; -import rule181 from './suricata_exploit_cve_2019_11043.json'; -import rule182 from './suricata_exploit_cve_2019_11510.json'; -import rule183 from './suricata_exploit_cve_2019_11580.json'; -import rule184 from './suricata_exploit_cve_2019_11581.json'; -import rule185 from './suricata_exploit_cve_2019_13450.json'; -import rule186 from './suricata_exploit_cve_2019_13505.json'; -import rule187 from './suricata_exploit_cve_2019_15107.json'; -import rule188 from './suricata_exploit_cve_2019_15846.json'; -import rule189 from './suricata_exploit_cve_2019_16072.json'; -import rule190 from './suricata_exploit_cve_2019_1652.json'; -import rule191 from './suricata_exploit_cve_2019_16662.json'; -import rule192 from './suricata_exploit_cve_2019_16759.json'; -import rule193 from './suricata_exploit_cve_2019_16928.json'; -import rule194 from './suricata_exploit_cve_2019_17270.json'; -import rule195 from './suricata_exploit_cve_2019_1821.json'; -import rule196 from './suricata_exploit_cve_2019_19781.json'; -import rule197 from './suricata_exploit_cve_2019_2618.json'; -import rule198 from './suricata_exploit_cve_2019_2725.json'; -import rule199 from './suricata_exploit_cve_2019_3396.json'; -import rule200 from './suricata_exploit_cve_2019_3929.json'; -import rule201 from './suricata_exploit_cve_2019_5533.json'; -import rule202 from './suricata_exploit_cve_2019_6340.json'; -import rule203 from './suricata_exploit_cve_2019_7256.json'; -import rule204 from './suricata_exploit_cve_2019_9978.json'; -import rule205 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; -import rule206 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; -import rule207 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; -import rule208 from './suricata_lazagne_artifact_in_an_http_post.json'; -import rule209 from './suricata_mimikatz_artifacts_in_an_http_post.json'; -import rule210 from './suricata_mimikatz_string_detected_in_http_response.json'; -import rule211 from './suricata_nondns_traffic_on_tcp_port_53.json'; -import rule212 from './suricata_nondns_traffic_on_udp_port_53.json'; -import rule213 from './suricata_nonftp_traffic_on_port_21.json'; -import rule214 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; -import rule215 from './suricata_nonimap_traffic_on_port_1443_imap.json'; -import rule216 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; -import rule217 from './suricata_nonssh_traffic_on_port_22.json'; -import rule218 from './suricata_nontls_on_tls_port.json'; -import rule219 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; -import rule220 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; -import rule221 from './suricata_rpc_traffic_on_http_ports.json'; -import rule222 from './suricata_serialized_php_detected.json'; -import rule223 from './suricata_shell_exec_php_function_in_an_http_post.json'; -import rule224 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; -import rule225 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; -import rule226 from './suricata_windows_executable_served_by_jpeg_web_content.json'; -import rule227 from './suspicious_process_started_by_a_script.json'; -import rule228 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule229 from './windows_burp_ce_activity.json'; -import rule230 from './windows_certutil_connecting_to_the_internet.json'; -import rule231 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule232 from './windows_command_shell_started_by_internet_explorer.json'; -import rule233 from './windows_command_shell_started_by_powershell.json'; -import rule234 from './windows_command_shell_started_by_svchost.json'; -import rule235 from './windows_credential_dumping_commands.json'; -import rule236 from './windows_credential_dumping_via_imageload.json'; -import rule237 from './windows_credential_dumping_via_registry_save.json'; -import rule238 from './windows_data_compression_using_powershell.json'; -import rule239 from './windows_defense_evasion_decoding_using_certutil.json'; -import rule240 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; -import rule241 from './windows_defense_evasion_via_filter_manager.json'; -import rule242 from './windows_defense_evasion_via_windows_event_log_tools.json'; -import rule243 from './windows_execution_via_compiled_html_file.json'; -import rule244 from './windows_execution_via_connection_manager.json'; -import rule245 from './windows_execution_via_microsoft_html_application_hta.json'; -import rule246 from './windows_execution_via_net_com_assemblies.json'; -import rule247 from './windows_execution_via_regsvr32.json'; -import rule248 from './windows_execution_via_trusted_developer_utilities.json'; -import rule249 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule250 from './windows_image_load_from_a_temp_directory.json'; -import rule251 from './windows_indirect_command_execution.json'; -import rule252 from './windows_iodine_activity.json'; -import rule253 from './windows_management_instrumentation_wmi_execution.json'; -import rule254 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; -import rule255 from './windows_mimikatz_activity.json'; -import rule256 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule257 from './windows_net_command_activity_by_the_system_account.json'; -import rule258 from './windows_net_user_command_activity.json'; -import rule259 from './windows_netcat_activity.json'; -import rule260 from './windows_netcat_network_activity.json'; -import rule261 from './windows_network_anomalous_windows_process_using_https_ports.json'; -import rule262 from './windows_nmap_activity.json'; -import rule263 from './windows_nmap_scan_activity.json'; -import rule264 from './windows_payload_obfuscation_via_certutil.json'; -import rule265 from './windows_persistence_or_priv_escalation_via_hooking.json'; -import rule266 from './windows_persistence_via_application_shimming.json'; -import rule267 from './windows_persistence_via_bits_jobs.json'; -import rule268 from './windows_persistence_via_modification_of_existing_service.json'; -import rule269 from './windows_persistence_via_netshell_helper_dll.json'; -import rule270 from './windows_powershell_connecting_to_the_internet.json'; -import rule271 from './windows_priv_escalation_via_accessibility_features.json'; -import rule272 from './windows_process_discovery_via_tasklist_command.json'; -import rule273 from './windows_process_execution_via_wmi.json'; -import rule274 from './windows_process_started_by_acrobat_reader_possible_payload.json'; -import rule275 from './windows_process_started_by_ms_office_program_possible_payload.json'; -import rule276 from './windows_process_started_by_the_java_runtime.json'; -import rule277 from './windows_psexec_activity.json'; -import rule278 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule279 from './windows_registry_query_local.json'; -import rule280 from './windows_registry_query_network.json'; -import rule281 from './windows_remote_management_execution.json'; -import rule282 from './windows_scheduled_task_activity.json'; -import rule283 from './windows_script_interpreter_connecting_to_the_internet.json'; -import rule284 from './windows_signed_binary_proxy_execution.json'; -import rule285 from './windows_signed_binary_proxy_execution_download.json'; -import rule286 from './windows_suspicious_process_started_by_a_script.json'; -import rule287 from './windows_whoami_command_activity.json'; -import rule288 from './windows_windump_activity.json'; -import rule289 from './windows_wireshark_activity.json'; -import rule290 from './windump_activity.json'; -import rule291 from './zeek_notice_capturelosstoo_much_loss.json'; -import rule292 from './zeek_notice_conncontent_gap.json'; -import rule293 from './zeek_notice_connretransmission_inconsistency.json'; -import rule294 from './zeek_notice_dnsexternal_name.json'; -import rule295 from './zeek_notice_ftpbruteforcing.json'; -import rule296 from './zeek_notice_ftpsite_exec_success.json'; -import rule297 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; -import rule298 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; -import rule299 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; -import rule300 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; -import rule301 from './zeek_notice_httpsql_injection_attacker.json'; -import rule302 from './zeek_notice_httpsql_injection_victim.json'; -import rule303 from './zeek_notice_intelnotice.json'; -import rule304 from './zeek_notice_noticetally.json'; -import rule305 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; -import rule306 from './zeek_notice_packetfiltercompile_failure.json'; -import rule307 from './zeek_notice_packetfilterdropped_packets.json'; -import rule308 from './zeek_notice_packetfilterinstall_failure.json'; -import rule309 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; -import rule310 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; -import rule311 from './zeek_notice_protocoldetectorprotocol_found.json'; -import rule312 from './zeek_notice_protocoldetectorserver_found.json'; -import rule313 from './zeek_notice_scanaddress_scan.json'; -import rule314 from './zeek_notice_scanport_scan.json'; -import rule315 from './zeek_notice_signaturescount_signature.json'; -import rule316 from './zeek_notice_signaturesmultiple_sig_responders.json'; -import rule317 from './zeek_notice_signaturesmultiple_signatures.json'; -import rule318 from './zeek_notice_signaturessensitive_signature.json'; -import rule319 from './zeek_notice_signaturessignature_summary.json'; -import rule320 from './zeek_notice_smtpblocklist_blocked_host.json'; -import rule321 from './zeek_notice_smtpblocklist_error_message.json'; -import rule322 from './zeek_notice_smtpsuspicious_origination.json'; -import rule323 from './zeek_notice_softwaresoftware_version_change.json'; -import rule324 from './zeek_notice_softwarevulnerable_version.json'; -import rule325 from './zeek_notice_sshinteresting_hostname_login.json'; -import rule326 from './zeek_notice_sshlogin_by_password_guesser.json'; -import rule327 from './zeek_notice_sshpassword_guessing.json'; -import rule328 from './zeek_notice_sshwatched_country_login.json'; -import rule329 from './zeek_notice_sslcertificate_expired.json'; -import rule330 from './zeek_notice_sslcertificate_expires_soon.json'; -import rule331 from './zeek_notice_sslcertificate_not_valid_yet.json'; -import rule332 from './zeek_notice_sslinvalid_ocsp_response.json'; -import rule333 from './zeek_notice_sslinvalid_server_cert.json'; -import rule334 from './zeek_notice_sslold_version.json'; -import rule335 from './zeek_notice_sslweak_cipher.json'; -import rule336 from './zeek_notice_sslweak_key.json'; -import rule337 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; -import rule338 from './zeek_notice_traceroutedetected.json'; -import rule339 from './zeek_notice_weirdactivity.json'; +import rule4 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule5 from './eql_adobe_hijack_persistence.json'; +import rule6 from './eql_audio_capture_via_powershell.json'; +import rule7 from './eql_audio_capture_via_soundrecorder.json'; +import rule8 from './eql_bypass_uac_event_viewer.json'; +import rule9 from './eql_bypass_uac_via_cmstp.json'; +import rule10 from './eql_bypass_uac_via_sdclt.json'; +import rule11 from './eql_clearing_windows_event_logs.json'; +import rule12 from './eql_delete_volume_usn_journal_with_fsutil.json'; +import rule13 from './eql_deleting_backup_catalogs_with_wbadmin.json'; +import rule14 from './eql_direct_outbound_smb_connection.json'; +import rule15 from './eql_disable_windows_firewall_rules_with_netsh.json'; +import rule16 from './eql_dll_search_order_hijack.json'; +import rule17 from './eql_encoding_or_decoding_files_via_certutil.json'; +import rule18 from './eql_local_scheduled_task_commands.json'; +import rule19 from './eql_local_service_commands.json'; +import rule20 from './eql_modification_of_boot_configuration.json'; +import rule21 from './eql_msbuild_making_network_connections.json'; +import rule22 from './eql_mshta_making_network_connections.json'; +import rule23 from './eql_msxsl_making_network_connections.json'; +import rule24 from './eql_psexec_lateral_movement_command.json'; +import rule25 from './eql_suspicious_ms_office_child_process.json'; +import rule26 from './eql_suspicious_ms_outlook_child_process.json'; +import rule27 from './eql_suspicious_pdf_reader_child_process.json'; +import rule28 from './eql_system_shells_via_services.json'; +import rule29 from './eql_unusual_network_connection_via_rundll32.json'; +import rule30 from './eql_unusual_parentchild_relationship.json'; +import rule31 from './eql_unusual_process_network_connection.json'; +import rule32 from './eql_user_account_creation.json'; +import rule33 from './eql_user_added_to_administrator_group.json'; +import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule35 from './eql_volume_shadow_copy_deletion_via_wmic.json'; +import rule36 from './eql_windows_script_executing_powershell.json'; +import rule37 from './eql_wmic_command_lateral_movement.json'; +import rule38 from './linux_hping_activity.json'; +import rule39 from './linux_iodine_activity.json'; +import rule40 from './linux_kernel_module_activity.json'; +import rule41 from './linux_ldso_process_activity.json'; +import rule42 from './linux_lzop_activity.json'; +import rule43 from './linux_mknod_activity.json'; +import rule44 from './linux_netcat_network_connection.json'; +import rule45 from './linux_network_anomalous_process_using_https_ports.json'; +import rule46 from './linux_nmap_activity.json'; +import rule47 from './linux_nping_activity.json'; +import rule48 from './linux_process_started_in_temp_directory.json'; +import rule49 from './linux_ptrace_activity.json'; +import rule50 from './linux_rawshark_activity.json'; +import rule51 from './linux_shell_activity_by_web_server.json'; +import rule52 from './linux_socat_activity.json'; +import rule53 from './linux_ssh_forwarding.json'; +import rule54 from './linux_strace_activity.json'; +import rule55 from './linux_tcpdump_activity.json'; +import rule56 from './linux_web_download.json'; +import rule57 from './linux_whoami_commmand.json'; +import rule58 from './network_dns_directly_to_the_internet.json'; +import rule59 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule60 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule61 from './network_nat_traversal_port_activity.json'; +import rule62 from './network_port_26_activity.json'; +import rule63 from './network_port_8000_activity.json'; +import rule64 from './network_port_8000_activity_to_the_internet.json'; +import rule65 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule66 from './network_proxy_port_activity_to_the_internet.json'; +import rule67 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule68 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule69 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule70 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule71 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule72 from './network_smtp_to_the_internet.json'; +import rule73 from './network_sql_server_port_activity_to_the_internet.json'; +import rule74 from './network_ssh_secure_shell_from_the_internet.json'; +import rule75 from './network_ssh_secure_shell_to_the_internet.json'; +import rule76 from './network_telnet_port_activity.json'; +import rule77 from './network_tor_activity_to_the_internet.json'; +import rule78 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule79 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule80 from './null_user_agent.json'; +import rule81 from './sqlmap_user_agent.json'; +import rule82 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; +import rule83 from './suricata_base64_encoded_newobject_powershell_execution.json'; +import rule84 from './suricata_base64_encoded_startprocess_powershell_execution.json'; +import rule85 from './suricata_category_a_suspicious_string_was_detected.json'; +import rule86 from './suricata_category_attempted_administrator_privilege_gain.json'; +import rule87 from './suricata_category_attempted_denial_of_service.json'; +import rule88 from './suricata_category_attempted_information_leak.json'; +import rule89 from './suricata_category_attempted_login_with_suspicious_username.json'; +import rule90 from './suricata_category_attempted_user_privilege_gain.json'; +import rule91 from './suricata_category_client_using_unusual_port.json'; +import rule92 from './suricata_category_crypto_currency_mining_activity.json'; +import rule93 from './suricata_category_decode_of_an_rpc_query.json'; +import rule94 from './suricata_category_default_username_and_password_login_attempt.json'; +import rule95 from './suricata_category_denial_of_service.json'; +import rule96 from './suricata_category_denial_of_service_attack.json'; +import rule97 from './suricata_category_executable_code_was_detected.json'; +import rule98 from './suricata_category_exploit_kit_activity.json'; +import rule99 from './suricata_category_external_ip_address_retrieval.json'; +import rule100 from './suricata_category_generic_icmp_event.json'; +import rule101 from './suricata_category_generic_protocol_command_decode.json'; +import rule102 from './suricata_category_information_leak.json'; +import rule103 from './suricata_category_large_scale_information_leak.json'; +import rule104 from './suricata_category_malware_command_and_control_activity.json'; +import rule105 from './suricata_category_misc_activity.json'; +import rule106 from './suricata_category_misc_attack.json'; +import rule107 from './suricata_category_network_scan_detected.json'; +import rule108 from './suricata_category_network_trojan_detected.json'; +import rule109 from './suricata_category_nonstandard_protocol_or_event.json'; +import rule110 from './suricata_category_not_suspicious_traffic.json'; +import rule111 from './suricata_category_observed_c2_domain.json'; +import rule112 from './suricata_category_possible_social_engineering_attempted.json'; +import rule113 from './suricata_category_possibly_unwanted_program.json'; +import rule114 from './suricata_category_potential_corporate_privacy_violation.json'; +import rule115 from './suricata_category_potentially_bad_traffic.json'; +import rule116 from './suricata_category_potentially_vulnerable_web_application_access.json'; +import rule117 from './suricata_category_successful_administrator_privilege_gain.json'; +import rule118 from './suricata_category_successful_credential_theft.json'; +import rule119 from './suricata_category_successful_user_privilege_gain.json'; +import rule120 from './suricata_category_suspicious_filename_detected.json'; +import rule121 from './suricata_category_system_call_detected.json'; +import rule122 from './suricata_category_targeted_malicious_activity.json'; +import rule123 from './suricata_category_tcp_connection_detected.json'; +import rule124 from './suricata_category_unknown_traffic.json'; +import rule125 from './suricata_category_unsuccessful_user_privilege_gain.json'; +import rule126 from './suricata_category_web_application_attack.json'; +import rule127 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; +import rule128 from './suricata_commonly_abused_dns_domain_detected.json'; +import rule129 from './suricata_directory_reversal_characters_in_an_http_request.json'; +import rule130 from './suricata_directory_traversal_characters_in_an_http_request.json'; +import rule131 from './suricata_directory_traversal_characters_in_http_response.json'; +import rule132 from './suricata_directory_traversal_in_downloaded_zip_file.json'; +import rule133 from './suricata_dns_traffic_on_unusual_tcp_port.json'; +import rule134 from './suricata_dns_traffic_on_unusual_udp_port.json'; +import rule135 from './suricata_double_encoded_characters_in_a_uri.json'; +import rule136 from './suricata_double_encoded_characters_in_an_http_post.json'; +import rule137 from './suricata_double_encoded_characters_in_http_request.json'; +import rule138 from './suricata_eval_php_function_in_an_http_request.json'; +import rule139 from './suricata_exploit_cve_2018_1000861.json'; +import rule140 from './suricata_exploit_cve_2019_0227.json'; +import rule141 from './suricata_exploit_cve_2019_0232.json'; +import rule142 from './suricata_exploit_cve_2019_0604.json'; +import rule143 from './suricata_exploit_cve_2019_0708.json'; +import rule144 from './suricata_exploit_cve_2019_0752.json'; +import rule145 from './suricata_exploit_cve_2019_1003000.json'; +import rule146 from './suricata_exploit_cve_2019_10149.json'; +import rule147 from './suricata_exploit_cve_2019_11043.json'; +import rule148 from './suricata_exploit_cve_2019_11510.json'; +import rule149 from './suricata_exploit_cve_2019_11580.json'; +import rule150 from './suricata_exploit_cve_2019_11581.json'; +import rule151 from './suricata_exploit_cve_2019_13450.json'; +import rule152 from './suricata_exploit_cve_2019_13505.json'; +import rule153 from './suricata_exploit_cve_2019_15107.json'; +import rule154 from './suricata_exploit_cve_2019_15846.json'; +import rule155 from './suricata_exploit_cve_2019_16072.json'; +import rule156 from './suricata_exploit_cve_2019_1652.json'; +import rule157 from './suricata_exploit_cve_2019_16662.json'; +import rule158 from './suricata_exploit_cve_2019_16759.json'; +import rule159 from './suricata_exploit_cve_2019_16928.json'; +import rule160 from './suricata_exploit_cve_2019_17270.json'; +import rule161 from './suricata_exploit_cve_2019_1821.json'; +import rule162 from './suricata_exploit_cve_2019_19781.json'; +import rule163 from './suricata_exploit_cve_2019_2618.json'; +import rule164 from './suricata_exploit_cve_2019_2725.json'; +import rule165 from './suricata_exploit_cve_2019_3396.json'; +import rule166 from './suricata_exploit_cve_2019_3929.json'; +import rule167 from './suricata_exploit_cve_2019_5533.json'; +import rule168 from './suricata_exploit_cve_2019_6340.json'; +import rule169 from './suricata_exploit_cve_2019_7256.json'; +import rule170 from './suricata_exploit_cve_2019_9978.json'; +import rule171 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; +import rule172 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; +import rule173 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; +import rule174 from './suricata_lazagne_artifact_in_an_http_post.json'; +import rule175 from './suricata_mimikatz_artifacts_in_an_http_post.json'; +import rule176 from './suricata_mimikatz_string_detected_in_http_response.json'; +import rule177 from './suricata_nondns_traffic_on_tcp_port_53.json'; +import rule178 from './suricata_nondns_traffic_on_udp_port_53.json'; +import rule179 from './suricata_nonftp_traffic_on_port_21.json'; +import rule180 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; +import rule181 from './suricata_nonimap_traffic_on_port_1443_imap.json'; +import rule182 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; +import rule183 from './suricata_nonssh_traffic_on_port_22.json'; +import rule184 from './suricata_nontls_on_tls_port.json'; +import rule185 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; +import rule186 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; +import rule187 from './suricata_rpc_traffic_on_http_ports.json'; +import rule188 from './suricata_serialized_php_detected.json'; +import rule189 from './suricata_shell_exec_php_function_in_an_http_post.json'; +import rule190 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; +import rule191 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; +import rule192 from './suricata_windows_executable_served_by_jpeg_web_content.json'; +import rule193 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule194 from './windows_burp_ce_activity.json'; +import rule195 from './windows_certutil_connecting_to_the_internet.json'; +import rule196 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule197 from './windows_command_shell_started_by_internet_explorer.json'; +import rule198 from './windows_command_shell_started_by_powershell.json'; +import rule199 from './windows_command_shell_started_by_svchost.json'; +import rule200 from './windows_credential_dumping_commands.json'; +import rule201 from './windows_credential_dumping_via_imageload.json'; +import rule202 from './windows_credential_dumping_via_registry_save.json'; +import rule203 from './windows_data_compression_using_powershell.json'; +import rule204 from './windows_defense_evasion_decoding_using_certutil.json'; +import rule205 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; +import rule206 from './windows_defense_evasion_via_filter_manager.json'; +import rule207 from './windows_defense_evasion_via_windows_event_log_tools.json'; +import rule208 from './windows_execution_via_compiled_html_file.json'; +import rule209 from './windows_execution_via_connection_manager.json'; +import rule210 from './windows_execution_via_microsoft_html_application_hta.json'; +import rule211 from './windows_execution_via_net_com_assemblies.json'; +import rule212 from './windows_execution_via_regsvr32.json'; +import rule213 from './windows_execution_via_trusted_developer_utilities.json'; +import rule214 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule215 from './windows_image_load_from_a_temp_directory.json'; +import rule216 from './windows_indirect_command_execution.json'; +import rule217 from './windows_iodine_activity.json'; +import rule218 from './windows_management_instrumentation_wmi_execution.json'; +import rule219 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; +import rule220 from './windows_mimikatz_activity.json'; +import rule221 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule222 from './windows_net_command_activity_by_the_system_account.json'; +import rule223 from './windows_net_user_command_activity.json'; +import rule224 from './windows_netcat_activity.json'; +import rule225 from './windows_netcat_network_activity.json'; +import rule226 from './windows_network_anomalous_windows_process_using_https_ports.json'; +import rule227 from './windows_nmap_activity.json'; +import rule228 from './windows_nmap_scan_activity.json'; +import rule229 from './windows_payload_obfuscation_via_certutil.json'; +import rule230 from './windows_persistence_or_priv_escalation_via_hooking.json'; +import rule231 from './windows_persistence_via_application_shimming.json'; +import rule232 from './windows_persistence_via_bits_jobs.json'; +import rule233 from './windows_persistence_via_modification_of_existing_service.json'; +import rule234 from './windows_persistence_via_netshell_helper_dll.json'; +import rule235 from './windows_powershell_connecting_to_the_internet.json'; +import rule236 from './windows_priv_escalation_via_accessibility_features.json'; +import rule237 from './windows_process_discovery_via_tasklist_command.json'; +import rule238 from './windows_process_execution_via_wmi.json'; +import rule239 from './windows_process_started_by_acrobat_reader_possible_payload.json'; +import rule240 from './windows_process_started_by_ms_office_program_possible_payload.json'; +import rule241 from './windows_process_started_by_the_java_runtime.json'; +import rule242 from './windows_psexec_activity.json'; +import rule243 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule244 from './windows_registry_query_local.json'; +import rule245 from './windows_registry_query_network.json'; +import rule246 from './windows_remote_management_execution.json'; +import rule247 from './windows_scheduled_task_activity.json'; +import rule248 from './windows_script_interpreter_connecting_to_the_internet.json'; +import rule249 from './windows_signed_binary_proxy_execution.json'; +import rule250 from './windows_signed_binary_proxy_execution_download.json'; +import rule251 from './windows_suspicious_process_started_by_a_script.json'; +import rule252 from './windows_whoami_command_activity.json'; +import rule253 from './windows_windump_activity.json'; +import rule254 from './windows_wireshark_activity.json'; +import rule255 from './zeek_notice_capturelosstoo_much_loss.json'; +import rule256 from './zeek_notice_conncontent_gap.json'; +import rule257 from './zeek_notice_connretransmission_inconsistency.json'; +import rule258 from './zeek_notice_dnsexternal_name.json'; +import rule259 from './zeek_notice_ftpbruteforcing.json'; +import rule260 from './zeek_notice_ftpsite_exec_success.json'; +import rule261 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; +import rule262 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; +import rule263 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; +import rule264 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; +import rule265 from './zeek_notice_httpsql_injection_attacker.json'; +import rule266 from './zeek_notice_httpsql_injection_victim.json'; +import rule267 from './zeek_notice_intelnotice.json'; +import rule268 from './zeek_notice_noticetally.json'; +import rule269 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; +import rule270 from './zeek_notice_packetfiltercompile_failure.json'; +import rule271 from './zeek_notice_packetfilterdropped_packets.json'; +import rule272 from './zeek_notice_packetfilterinstall_failure.json'; +import rule273 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; +import rule274 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; +import rule275 from './zeek_notice_protocoldetectorprotocol_found.json'; +import rule276 from './zeek_notice_protocoldetectorserver_found.json'; +import rule277 from './zeek_notice_scanaddress_scan.json'; +import rule278 from './zeek_notice_scanport_scan.json'; +import rule279 from './zeek_notice_signaturescount_signature.json'; +import rule280 from './zeek_notice_signaturesmultiple_sig_responders.json'; +import rule281 from './zeek_notice_signaturesmultiple_signatures.json'; +import rule282 from './zeek_notice_signaturessensitive_signature.json'; +import rule283 from './zeek_notice_signaturessignature_summary.json'; +import rule284 from './zeek_notice_smtpblocklist_blocked_host.json'; +import rule285 from './zeek_notice_smtpblocklist_error_message.json'; +import rule286 from './zeek_notice_smtpsuspicious_origination.json'; +import rule287 from './zeek_notice_softwaresoftware_version_change.json'; +import rule288 from './zeek_notice_softwarevulnerable_version.json'; +import rule289 from './zeek_notice_sshinteresting_hostname_login.json'; +import rule290 from './zeek_notice_sshlogin_by_password_guesser.json'; +import rule291 from './zeek_notice_sshpassword_guessing.json'; +import rule292 from './zeek_notice_sshwatched_country_login.json'; +import rule293 from './zeek_notice_sslcertificate_expired.json'; +import rule294 from './zeek_notice_sslcertificate_expires_soon.json'; +import rule295 from './zeek_notice_sslcertificate_not_valid_yet.json'; +import rule296 from './zeek_notice_sslinvalid_ocsp_response.json'; +import rule297 from './zeek_notice_sslinvalid_server_cert.json'; +import rule298 from './zeek_notice_sslold_version.json'; +import rule299 from './zeek_notice_sslweak_cipher.json'; +import rule300 from './zeek_notice_sslweak_key.json'; +import rule301 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; +import rule302 from './zeek_notice_traceroutedetected.json'; +import rule303 from './zeek_notice_weirdactivity.json'; export const rawRules = [ rule1, rule2, @@ -650,40 +614,4 @@ export const rawRules = [ rule301, rule302, rule303, - rule304, - rule305, - rule306, - rule307, - rule308, - rule309, - rule310, - rule311, - rule312, - rule313, - rule314, - rule315, - rule316, - rule317, - rule318, - rule319, - rule320, - rule321, - rule322, - rule323, - rule324, - rule325, - rule326, - rule327, - rule328, - rule329, - rule330, - rule331, - rule332, - rule333, - rule334, - rule335, - rule336, - rule337, - rule338, - rule339, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json deleted file mode 100644 index 57f37e34ad4d5..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "description": "Linux: Java Process Connecting to the Internet", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": false, - "params": { - "query": "java" - }, - "type": "phrase", - "value": "java" - }, - "query": { - "match": { - "process.name": { - "query": "java", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "socket_opened" - }, - "type": "phrase", - "value": "socket_opened" - }, - "query": { - "match": { - "event.action": { - "query": "socket_opened", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "destination.ip", - "negate": true, - "params": { - "query": "127.0.0.1" - }, - "type": "phrase", - "value": "127.0.0.1" - }, - "query": { - "match": { - "destination.ip": { - "query": "127.0.0.1", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "key": "destination.ip", - "negate": true, - "params": { - "query": "::1" - }, - "type": "phrase", - "value": "::1" - }, - "query": { - "match": { - "destination.ip": { - "query": "::1", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Linux: Java Process Connecting to the Internet", - "query": "not destination.ip: 10.0.0.0/8 and not 172.16.0.0/12", - "risk_score": 50, - "rule_id": "7f65b8c5-27ed-4cf6-a088-3a20d2f84bf5", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json deleted file mode 100644 index 62203b6c42a5a..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Linux lzop activity - possible @JulianRunnels", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Linux lzop activity - possible @JulianRunnels", - "query": "process.name:lzop", - "risk_score": 50, - "rule_id": "d89b05b1-9b2b-45ea-9876-4a74550af6a6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json deleted file mode 100644 index a63b2ea7dc522..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "description": "Linux unusual shell activity", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "process.name", - "negate": true, - "params": { - "query": "bash" - }, - "type": "phrase", - "value": "bash" - }, - "query": { - "match": { - "process.name": { - "query": "bash", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "process.executable", - "negate": true, - "params": { - "query": "/bin/dash" - }, - "type": "phrase", - "value": "/bin/dash" - }, - "query": { - "match": { - "process.executable": { - "query": "/bin/dash", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "process.name", - "negate": true, - "params": { - "query": "ReportCrash" - }, - "type": "phrase", - "value": "ReportCrash" - }, - "query": { - "match": { - "process.name": { - "query": "ReportCrash", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Linux unusual shell activity", - "query": "process.name:*sh", - "risk_score": 50, - "rule_id": "4cc78842-f8a9-4a20-b703-a596c4f24e4f", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json deleted file mode 100644 index 075f77490a237..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "description": "Powershell network connection", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Network connection detected (rule: NetworkConnect)" - }, - "type": "phrase", - "value": "Network connection detected (rule: NetworkConnect)" - }, - "query": { - "match": { - "event.action": { - "query": "Network connection detected (rule: NetworkConnect)", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "destination.ip", - "negate": true, - "params": { - "query": "169.254.169.254" - }, - "type": "phrase", - "value": "169.254.169.254" - }, - "query": { - "match": { - "destination.ip": { - "query": "169.254.169.254", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Powershell network connection", - "query": "process.name:powershell.exe", - "risk_score": 50, - "rule_id": "8e792144-39a6-4a63-9779-2f12719dc132", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json deleted file mode 100644 index 5ed0ad3899b4c..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Process Execution via WMI", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process Execution via WMI", - "query": "process.name:scrcons.exe", - "risk_score": 50, - "rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json deleted file mode 100644 index c00b88e5f88ef..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Process started by Acrobat reader - possible payload", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process started by Acrobat reader - possible payload", - "query": "process.parent.name:AcroRd32.exe", - "risk_score": 50, - "rule_id": "c359628d-d5af-4a20-99df-aeeea109b690", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json deleted file mode 100644 index 5237b17e7d69f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Process started by MS Office program - possible payload", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process started by MS Office program - possible payload", - "query": " process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", - "risk_score": 50, - "rule_id": "3181b814-08e3-43f9-b77a-a2530603b131", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json deleted file mode 100644 index 1a686a4482df6..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Process started by Windows Defender", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Process started by Windows Defender", - "query": "parent.process.name:MsMpEng.exe", - "risk_score": 50, - "rule_id": "b3da3321-417d-494b-854c-b40369e063f0", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json deleted file mode 100644 index b928e7dc80576..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "PSexec activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "PSexec activity", - "query": "process.name:PsExec.exe or process.name:PsExec64.exe", - "risk_score": 50, - "rule_id": "9511b7f4-3898-4813-8bd3-d810b03148ab", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json deleted file mode 100644 index ab76b1ed9ff9e..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "description": "(Search) Windows 10", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "agent.hostname", - "negate": false, - "params": { - "query": "LAPTOP-CQNI37L2" - }, - "type": "phrase" - }, - "query": { - "match": { - "agent.hostname": { - "query": "LAPTOP-CQNI37L2", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.provider", - "negate": false, - "params": { - "query": "Microsoft-Windows-Sysmon" - }, - "type": "phrase" - }, - "query": { - "match": { - "event.provider": { - "query": "Microsoft-Windows-Sysmon", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "(Search) Windows 10", - "query": "", - "risk_score": 50, - "rule_id": "5d00c579-794c-4f64-be52-1ed8cae2b11e", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json deleted file mode 100644 index e20197dfd2c92..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Child Processes of Spoolsv.exe", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Child Processes of Spoolsv.exe", - "query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ", - "risk_score": 50, - "rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json deleted file mode 100644 index 11186bfb44d62..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Large Outbound ICMP Packets", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Large Outbound ICMP Packets", - "query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json deleted file mode 100644 index 724985b2d1de8..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Long DNS TXT Record Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Long DNS TXT Record Response", - "query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53", - "risk_score": 50, - "rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json deleted file mode 100644 index c0e773f09b168..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect New Local Admin account", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect New Local Admin account", - "query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators", - "risk_score": 50, - "rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json deleted file mode 100644 index f9ad5793f2547..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect PsExec With accepteula Flag", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect PsExec With accepteula Flag", - "query": "process.name:PsExec.exe and process.args:\"-accepteula\"", - "risk_score": 50, - "rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json deleted file mode 100644 index 0a67c3adeaea5..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"", - "risk_score": 50, - "rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json deleted file mode 100644 index 466f9aff01942..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Processes created by netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Processes created by netsh", - "query": "process.parent.name:netsh.exe", - "risk_score": 50, - "rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json deleted file mode 100644 index cc54721cd92f2..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Processes launching netsh", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Processes launching netsh", - "query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ", - "risk_score": 50, - "rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json deleted file mode 100644 index c68e074d43817..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Protocols passing authentication in cleartext", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Protocols passing authentication in cleartext", - "query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp", - "risk_score": 50, - "rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json deleted file mode 100644 index 5f36d6623bcfb..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Splunk - Windows Event Log Cleared", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Splunk - Windows Event Log Cleared", - "query": "event.code:(1102 or 1100)", - "risk_score": 50, - "rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json deleted file mode 100644 index 37cf174786f97..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Suspicious process started by a script", - "enabled": false, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Process Create (rule: ProcessCreate)" - }, - "type": "phrase", - "value": "Process Create (rule: ProcessCreate)" - }, - "query": { - "match": { - "event.action": { - "query": "Process Create (rule: ProcessCreate)", - "type": "phrase" - } - } - } - } - ], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suspicious process started by a script", - "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe)", - "risk_score": 50, - "rule_id": "e49b532b-3e52-4f3d-90f6-05a86982d347", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json deleted file mode 100644 index 7b40fc208ecd5..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "WinDump activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "WinDump activity", - "query": "process.name:WinDump.exe", - "risk_score": 50, - "rule_id": "61c56cf4-0c08-4ad5-83ea-d2fe6ac62fa8", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -}