From d5b1e6459cd4a0fe5173d6739993ad488413ec90 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 10:45:09 -0700 Subject: [PATCH 1/9] Changed techniques to be technique --- .../mitre/mitre_tactics_techniques.ts | 2 +- .../components/description_step/helpers.tsx | 2 +- .../rules/components/mitre/helpers.ts | 4 +-- .../rules/components/mitre/index.tsx | 12 ++++---- .../rules/components/mitre/translations.ts | 2 +- .../step_about_rule/default_value.ts | 2 +- .../components/step_about_rule/schema.tsx | 2 +- .../detection_engine/rules/create/helpers.ts | 2 +- .../pages/detection_engine/rules/types.ts | 2 +- .../routes/__mocks__/request_responses.ts | 6 ++-- .../routes/rules/utils.test.ts | 28 +++++++++---------- .../add_prepackaged_rules_schema.test.ts | 10 +++---- .../schemas/create_rules_schema.test.ts | 10 +++---- .../schemas/import_rules_schema.test.ts | 10 +++---- .../routes/schemas/schemas.ts | 2 +- .../schemas/update_rules_schema.test.ts | 14 +++++----- .../rules/get_export_all.test.ts | 2 +- .../rules/get_export_by_object_ids.test.ts | 4 +-- ...den_file_attribute_with_via_attribexe.json | 4 +-- .../eql_adobe_hijack_persistence.json | 2 +- .../eql_audio_capture_via_powershell.json | 2 +- .../eql_audio_capture_via_soundrecorder.json | 2 +- .../eql_bypass_uac_event_viewer.json | 2 +- .../eql_bypass_uac_via_cmstp.json | 2 +- .../eql_bypass_uac_via_sdclt.json | 2 +- .../eql_clearing_windows_event_logs.json | 2 +- ...delete_volume_usn_journal_with_fsutil.json | 2 +- ...deleting_backup_catalogs_with_wbadmin.json | 2 +- .../eql_direct_outbound_smb_connection.json | 2 +- ...ble_windows_firewall_rules_with_netsh.json | 2 +- .../eql_dll_search_order_hijack.json | 4 +-- ...coding_or_decoding_files_via_certutil.json | 2 +- .../eql_local_scheduled_task_commands.json | 2 +- .../eql_local_service_commands.json | 2 +- ...ql_modification_of_boot_configuration.json | 2 +- ...ql_msbuild_making_network_connections.json | 2 +- .../eql_mshta_making_network_connections.json | 2 +- .../eql_msxsl_making_network_connections.json | 2 +- ...ql_suspicious_ms_office_child_process.json | 2 +- ...l_suspicious_ms_outlook_child_process.json | 2 +- ...l_suspicious_pdf_reader_child_process.json | 2 +- .../eql_system_shells_via_services.json | 2 +- ...usual_network_connection_via_rundll32.json | 2 +- .../eql_unusual_parentchild_relationship.json | 2 +- ...ql_unusual_process_network_connection.json | 2 +- .../eql_user_account_creation.json | 2 +- ...eql_user_added_to_administrator_group.json | 2 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 2 +- ..._volume_shadow_copy_deletion_via_wmic.json | 2 +- ...l_windows_script_executing_powershell.json | 2 +- .../eql_wmic_command_lateral_movement.json | 2 +- .../linux_kernel_module_activity.json | 2 +- .../linux_shell_activity_by_web_server.json | 2 +- .../linux_whoami_commmand.json | 2 +- .../rules/queries/query_mitre_attack.json | 4 +-- .../rules/queries/query_with_everything.json | 4 +-- .../saved_query_with_everything.json | 4 +-- .../signals_on_signals/depth_test/README.md | 2 +- .../signals_on_signals/halting_test/README.md | 2 +- .../updates/update_query_everything.json | 4 +-- .../siem/server/lib/detection_engine/types.ts | 2 +- 61 files changed, 107 insertions(+), 107 deletions(-) diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts index 160e006c4d267..16ab73365222b 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts @@ -187,7 +187,7 @@ export const tacticsOptions: MitreTacticsOptions[] = [ }, ]; -export const techniques = [ +export const technique = [ { name: '.bash_profile and .bashrc', id: 'T1156', diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx index 011c008c5b2d2..4add612892c7e 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx @@ -132,7 +132,7 @@ export const buildThreatsDescription = ({ {tactic != null ? tactic.text : ''} - {threat.techniques.map(technique => { + {threat.technique.map(technique => { const myTechnique = techniquesOptions.find(t => t.id === technique.id); return ( diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts index 1202fe54ad194..7a28a16214df6 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts @@ -9,9 +9,9 @@ import { IMitreAttack } from '../../types'; export const isMitreAttackInvalid = ( tacticName: string | null | undefined, - techniques: IMitreAttack[] | null | undefined + technique: IMitreAttack[] | null | undefined ) => { - if (isEmpty(tacticName) || (tacticName !== 'none' && isEmpty(techniques))) { + if (isEmpty(tacticName) || (tacticName !== 'none' && isEmpty(technique))) { return true; } return false; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx index f9a22c37cfdf0..9986b64fc5b15 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx @@ -62,10 +62,10 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI if (!isEmpty(values[values.length - 1])) { field.setValue([ ...values, - { tactic: { id: 'none', name: 'none', reference: 'none' }, techniques: [] }, + { tactic: { id: 'none', name: 'none', reference: 'none' }, technique: [] }, ]); } else { - field.setValue([{ tactic: { id: 'none', name: 'none', reference: 'none' }, techniques: [] }]); + field.setValue([{ tactic: { id: 'none', name: 'none', reference: 'none' }, technique: [] }]); } }, [field]); @@ -82,7 +82,7 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI { ...values[index], tactic: { id, reference, name }, - techniques: [], + technique: [], }, ...values.slice(index + 1), ]); @@ -96,7 +96,7 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI ...values.slice(0, index), { ...values[index], - techniques: selectedOptions, + technique: selectedOptions, }, ...values.slice(index + 1), ]); @@ -133,9 +133,9 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI ); const getSelectTechniques = (item: IMitreEnterpriseAttack, index: number, disabled: boolean) => { - const invalid = isMitreAttackInvalid(item.tactic.name, item.techniques); + const invalid = isMitreAttackInvalid(item.tactic.name, item.technique); const options = techniquesOptions.filter(t => t.tactics.includes(kebabCase(item.tactic.name))); - const selectedOptions = item.techniques.map(technic => ({ + const selectedOptions = item.technique.map(technic => ({ ...technic, label: `${technic.name} (${technic.id})`, // API doesn't allow for label field })); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts index 557e91691b6c7..bbc12800b7df5 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts @@ -13,7 +13,7 @@ export const TACTIC = i18n.translate('xpack.siem.detectionEngine.mitreAttack.tac export const TECHNIQUE = i18n.translate( 'xpack.siem.detectionEngine.mitreAttack.techniquesDescription', { - defaultMessage: 'technique', + defaultMessage: 'techniques', } ); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts index 92aca1cecf9f3..63bfc84dab22f 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts @@ -11,7 +11,7 @@ export const threatsDefault = [ { framework: 'MITRE ATT&CK', tactic: { id: 'none', name: 'none', reference: 'none' }, - techniques: [], + technique: [], }, ]; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx index 15b793a502840..c0595b8d48c26 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx @@ -155,7 +155,7 @@ export const schema: FormSchema = { const [{ value, path }] = args; let hasError = false; (value as IMitreEnterpriseAttack[]).forEach(v => { - if (isMitreAttackInvalid(v.tactic.name, v.techniques)) { + if (isMitreAttackInvalid(v.tactic.name, v.technique)) { hasError = true; } }); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts index ce91e15cdcf0d..4f33679453a81 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts @@ -96,7 +96,7 @@ const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRuleJson => .map(threat => ({ ...threat, framework: 'MITRE ATT&CK', - techniques: threat.techniques.map(technique => { + technique: threat.technique.map(technique => { const { id, name, reference } = technique; return { id, name, reference }; }), diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts index 2b50e32a367ec..ede78e1c4818d 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts @@ -134,5 +134,5 @@ export interface IMitreAttack { export interface IMitreEnterpriseAttack { framework: string; tactic: IMitreAttack; - techniques: IMitreAttack[]; + technique: IMitreAttack[]; } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 4a48301ee4b9c..b5c75e7c3ae0b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -38,7 +38,7 @@ export const mockPrepackagedRule = (): PrepackagedRules => ({ { framework: 'fake', tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' }, - techniques: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], + technique: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], }, ], enabled: true, @@ -73,7 +73,7 @@ export const typicalPayload = (): Partial => ({ { framework: 'fake', tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' }, - techniques: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], + technique: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], }, ], }); @@ -306,7 +306,7 @@ export const getResult = (): RuleAlertType => ({ name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts index c1b4c7de73f68..b2e56234cfc9e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts @@ -60,7 +60,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -123,7 +123,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -188,7 +188,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -253,7 +253,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -316,7 +316,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -382,7 +382,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -448,7 +448,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -514,7 +514,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -631,7 +631,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -704,7 +704,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -866,7 +866,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -987,7 +987,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -1047,7 +1047,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -1096,7 +1096,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts index 2a04c15b8cd9f..c3f7bb0136ec6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts @@ -267,7 +267,7 @@ describe('add prepackaged rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -793,7 +793,7 @@ describe('add prepackaged rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -833,7 +833,7 @@ describe('add prepackaged rules schema', () => { threats: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -849,7 +849,7 @@ describe('add prepackaged rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "techniques"', () => { + test('You cannot send in an array of threats that are missing "technique"', () => { expect( addPrepackagedRulesSchema.validate< Partial> & { @@ -883,7 +883,7 @@ describe('add prepackaged rules schema', () => { version: 1, }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts index f765f01300c58..6308331cc9325 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts @@ -284,7 +284,7 @@ describe('create rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -707,7 +707,7 @@ describe('create rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -747,7 +747,7 @@ describe('create rules schema', () => { threats: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -762,7 +762,7 @@ describe('create rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "techniques"', () => { + test('You cannot send in an array of threats that are missing "technique"', () => { expect( createRulesSchema.validate< Partial> & { @@ -796,7 +796,7 @@ describe('create rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts index b19a91d18c3ff..f2d7c7f483b79 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts @@ -289,7 +289,7 @@ describe('import rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -714,7 +714,7 @@ describe('import rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -754,7 +754,7 @@ describe('import rules schema', () => { threats: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -769,7 +769,7 @@ describe('import rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "techniques"', () => { + test('You cannot send in an array of threats that are missing "technique"', () => { expect( importRulesSchema.validate< Partial> & { @@ -803,7 +803,7 @@ describe('import rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts index a027fcb96b599..7a2faf44b328a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts @@ -91,7 +91,7 @@ export const threats = Joi.array().items( Joi.object({ framework: threat_framework.required(), tactic: threat_tactic.required(), - techniques: threat_techniques.required(), + technique: threat_techniques.required(), }) ); export const created_at = Joi.string() diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts index 44b3b5b927be2..a28f02661da8c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts @@ -720,7 +720,7 @@ describe('update rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -752,7 +752,7 @@ describe('update rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -792,7 +792,7 @@ describe('update rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -830,7 +830,7 @@ describe('update rules schema', () => { threats: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -845,11 +845,11 @@ describe('update rules schema', () => { ); }); - test('threats is invalid when updated with missing techniques', () => { + test('threats is invalid when updated with missing technique', () => { expect( updateRulesSchema.validate< Partial> & { - threats: Array>>; + threats: Array>>; } >({ id: 'rule-1', @@ -877,7 +877,7 @@ describe('update rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts index eb9756af8fde1..92bb4b0b6f5c5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts @@ -23,7 +23,7 @@ describe('getExportAll', () => { const exports = await getExportAll(unsafeCast); expect(exports).toEqual({ rulesNdjson: - '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"techniques":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', + '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', exportDetails: '{"exported_count":1,"missing_rules":[],"missing_rules_count":0}\n', }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts index a861d80a66fd5..fa2b481500e9d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts @@ -25,7 +25,7 @@ describe('get_export_by_object_ids', () => { const exports = await getExportByObjectIds(unsafeCast, objects); expect(exports).toEqual({ rulesNdjson: - '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"techniques":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', + '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', exportDetails: '{"exported_count":1,"missing_rules":[],"missing_rules_count":0}\n', }); }); @@ -106,7 +106,7 @@ describe('get_export_by_object_ids', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index e5280d19f8e4a..5318d7ab672d6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1158", "name": "Hidden Files and Directories", @@ -37,7 +37,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1158", "name": "Hidden Files and Directories", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 0fac9b17160e2..e87eea13b09df 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -22,7 +22,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1044", "name": "File System Permissions Weakness", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index 0506d03348913..3d2c08b390efd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -22,7 +22,7 @@ "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/" }, - "techniques": [ + "technique": [ { "id": "T1123", "name": "Audio Capture", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index 392eeb3980c9f..8ad942eb1cc90 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -22,7 +22,7 @@ "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/" }, - "techniques": [ + "technique": [ { "id": "T1123", "name": "Audio Capture", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index ecbc9a2dd46c4..dc28a4015842b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -22,7 +22,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index 2518fda68ee0f..7d657bb58d3d1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -22,7 +22,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index c419dc080ec3c..6d2d879f85fb0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -22,7 +22,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index bcf9b02a0210f..9c717aeaddf22 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1070", "name": "Indicator Removal on Host", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 5a9ba60597534..fdcde25ee0dd7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 240678d45238c..c27efb427a250 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 9e5ccc73dc05e..9df23ad4ed349 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -22,7 +22,7 @@ "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, - "techniques": [ + "technique": [ { "id": "T1210", "name": "Exploitation of Remote Services", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 40a8298561dbd..3fe0b0c492caf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1089", "name": "Disabling Security Tools", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index 0ee8674e3304b..bd61012573c92 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -22,7 +22,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", @@ -37,7 +37,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 3e912e076adec..92404cb250e1c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index 304fea1cfbb76..e8bffd18724b9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -22,7 +22,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1053", "name": "Scheduled Task", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 7454b0fd452c6..0133dabf7ce7b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1021", "name": "Remote Services", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index d4ac29a78c77d..606ad3ce1921d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 61049bba92cce..b7229e28ca889 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index f2ed8449b9aaf..abc2ed3e3b5a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -25,7 +25,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1170", "name": "Mshta", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index c86b7515173dc..307301c8f5f9b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1220", "name": "XSL Script Processing", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 9d3b0361c9d29..dc40b4225c548 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index f445cb187c428..259af2dd6ef0d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 0b44ebd922c02..d565e99c29876 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 687f5c0db2dab..aec578dcbe09c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -22,7 +22,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1050", "name": "New Service", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 4893f80e8b56c..055366f58995f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1085", "name": "Rundll32", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 29e3c998ebe02..d23cd7cb79376 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -22,7 +22,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1093", "name": "Process Hollowing", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index ce34e4a352c88..111090be65901 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 5b94babaf8add..31681302a4046 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -22,7 +22,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1136", "name": "Create Account", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index f0b770985c716..c2f4cadc5aa61 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -22,7 +22,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1098", "name": "Account Manipulation", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 8f23d398a48a7..a1d8309daa922 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1490", "name": "Inhibit System Recovery", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index fc18b2c0f5d70..f3e5e480290db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -22,7 +22,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index ff3d660704eeb..4eb259837ed05 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -22,7 +22,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index 5a9bda9e8ddfa..86997f9e73347 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -22,7 +22,7 @@ "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, - "techniques": [ + "technique": [ { "id": "T1047", "name": "Windows Management Instrumentation", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index d6887f7928dd8..4a90217a700fb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -32,7 +32,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/techniques/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1215", "name": "Kernel Modules and Extensions", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index e8c5942ec5100..6c11a2357c21a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -33,7 +33,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/techniques/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1100", "name": "Web Shell", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index c57e21334b4f7..d3cb259321ca0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -29,7 +29,7 @@ "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, - "techniques": [ + "technique": [ { "id": "T1033", "name": "System Owner/User Discovery", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json index f728e3b988206..c03a76942e4d2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json @@ -13,7 +13,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -28,7 +28,7 @@ "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/" }, - "techniques": [ + "technique": [ { "id": "T1002", "name": "Data Compressed", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json index 4a90d904f31ab..8fa8b6da83bc3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json @@ -48,7 +48,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -63,7 +63,7 @@ "name": "Some other name", "reference": "https://example.com" }, - "techniques": [ + "technique": [ { "id": "some-other-id", "name": "some other technique name", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json index 2b7dbc8cccf0e..d2f0ccba38572 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json @@ -48,7 +48,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -63,7 +63,7 @@ "name": "Some other name", "reference": "https://example.com" }, - "techniques": [ + "technique": [ { "id": "some-other-id", "name": "some other technique name", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md index ff3e9a8cf0948..2310ba979da20 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md @@ -123,7 +123,7 @@ ancestors -> An array tracking all of the parents of this particular signal. As ``` This is indicating that you have a single parent of an event from the signal (signal -> event) and this document has a single -ancestor of that event. Each 30 seconds that goes it will use de-duplication techniques to ensure that this signal is not re-inserted. If after +ancestor of that event. Each 30 seconds that goes it will use de-duplication technique to ensure that this signal is not re-inserted. If after each 30 seconds you DO SEE multiple signals then the bug is a de-duplication bug and a critical bug. If you ever see a duplicate rule in the ancestors array then that is another CRITICAL bug which needs to be fixed. diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md index 7895e579de3a6..b1a83f5317776 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md @@ -102,7 +102,7 @@ ancestors -> An array tracking all of the parents of this particular signal. As ``` This is indicating that you have a single parent of an event from the signal (signal -> event) and this document has a single -ancestor of that event. Each 30 seconds that goes it will use de-duplication techniques to ensure that this signal is not re-inserted. If after +ancestor of that event. Each 30 seconds that goes it will use de-duplication technique to ensure that this signal is not re-inserted. If after each 30 seconds you DO SEE multiple signals then the bug is a de-duplication bug and a critical bug. If you ever see a duplicate rule in the ancestors array then that is another CRITICAL bug which needs to be fixed. diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json index a47d0155727d8..3dcc7016cb983 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json @@ -48,7 +48,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -63,7 +63,7 @@ "name": "Some other name", "reference": "https://example.com" }, - "techniques": [ + "technique": [ { "id": "some-other-id", "name": "some other technique name", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts index c7bd92322360a..23f538cfae685 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts @@ -18,7 +18,7 @@ export interface IMitreAttack { export interface ThreatParams { framework: string; tactic: IMitreAttack; - techniques: IMitreAttack[]; + technique: IMitreAttack[]; } export interface RuleAlertParams { From f95433baf32075ca3c44e5f955192835a0195d5c Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 11:09:00 -0700 Subject: [PATCH 2/9] Generic rule cleanup --- .../403_response_to_a_post.json | 6 ------ .../405_response_method_not_allowed.json | 6 ------ .../500_response_on_admin_page.json | 6 ------ ...den_file_attribute_with_via_attribexe.json | 12 ++--------- .../eql_adobe_hijack_persistence.json | 10 +-------- .../eql_audio_capture_via_powershell.json | 10 +-------- .../eql_audio_capture_via_soundrecorder.json | 10 +-------- .../eql_bypass_uac_event_viewer.json | 10 +-------- .../eql_bypass_uac_via_cmstp.json | 10 +-------- .../eql_bypass_uac_via_sdclt.json | 10 +-------- .../eql_clearing_windows_event_logs.json | 10 +-------- ...delete_volume_usn_journal_with_fsutil.json | 10 +-------- ...deleting_backup_catalogs_with_wbadmin.json | 10 +-------- .../eql_direct_outbound_smb_connection.json | 10 +-------- ...ble_windows_firewall_rules_with_netsh.json | 10 +-------- .../eql_dll_search_order_hijack.json | 10 +-------- ...coding_or_decoding_files_via_certutil.json | 10 +-------- .../eql_local_scheduled_task_commands.json | 10 +-------- .../eql_local_service_commands.json | 10 +-------- ...ql_modification_of_boot_configuration.json | 10 +-------- ...ql_msbuild_making_network_connections.json | 10 +-------- .../eql_mshta_making_network_connections.json | 14 ++----------- .../eql_msxsl_making_network_connections.json | 10 +-------- .../eql_psexec_lateral_movement_command.json | 10 +-------- ...ql_suspicious_ms_office_child_process.json | 10 +-------- ...l_suspicious_ms_outlook_child_process.json | 12 ++--------- ...l_suspicious_pdf_reader_child_process.json | 10 +-------- .../eql_system_shells_via_services.json | 10 +-------- ...usual_network_connection_via_rundll32.json | 10 +-------- .../eql_unusual_parentchild_relationship.json | 12 ++--------- ...ql_unusual_process_network_connection.json | 10 +-------- .../eql_user_account_creation.json | 10 +-------- ...eql_user_added_to_administrator_group.json | 10 +-------- ...ume_shadow_copy_deletion_via_vssadmin.json | 12 ++--------- ..._volume_shadow_copy_deletion_via_wmic.json | 12 ++--------- ...l_windows_script_executing_powershell.json | 10 +-------- .../eql_wmic_command_lateral_movement.json | 12 ++--------- .../linux_hping_activity.json | 7 +------ .../linux_iodine_activity.json | 7 +------ .../linux_kernel_module_activity.json | 18 +++------------- .../linux_ldso_process_activity.json | 6 ------ .../linux_lzop_activity.json | 6 ------ .../linux_mknod_activity.json | 7 +------ .../linux_netcat_network_connection.json | 7 +------ ...k_anomalous_process_using_https_ports.json | 6 ------ .../linux_nmap_activity.json | 7 +------ .../linux_nping_activity.json | 7 +------ ...nux_process_started_in_temp_directory.json | 18 +++------------- .../linux_ptrace_activity.json | 7 +------ .../linux_rawshark_activity.json | 7 +------ .../linux_shell_activity_by_web_server.json | 21 ++++--------------- .../linux_socat_activity.json | 7 +------ .../linux_ssh_forwarding.json | 7 +------ .../linux_strace_activity.json | 7 +------ .../linux_tcpdump_activity.json | 7 +------ .../prepackaged_rules/linux_web_download.json | 7 +------ .../linux_whoami_commmand.json | 16 +++----------- .../network_dns_directly_to_the_internet.json | 10 ++------- ...fer_protocol_activity_to_the_internet.json | 10 ++------- ...hat_protocol_activity_to_the_internet.json | 10 ++------- .../network_nat_traversal_port_activity.json | 10 ++------- .../network_port_26_activity.json | 10 ++------- .../network_port_8000_activity.json | 6 ------ ...rk_port_8000_activity_to_the_internet.json | 10 ++------- ..._to_point_tunneling_protocol_activity.json | 10 ++------- ...k_proxy_port_activity_to_the_internet.json | 10 ++------- ...te_desktop_protocol_from_the_internet.json | 10 ++------- ...mote_desktop_protocol_to_the_internet.json | 10 ++------- ...mote_procedure_call_from_the_internet.json | 10 ++------- ...remote_procedure_call_to_the_internet.json | 10 ++------- ...file_sharing_activity_to_the_internet.json | 10 ++------- .../network_smtp_to_the_internet.json | 10 ++------- ..._server_port_activity_to_the_internet.json | 10 ++------- ...rk_ssh_secure_shell_from_the_internet.json | 10 ++------- ...work_ssh_secure_shell_to_the_internet.json | 10 ++------- .../network_telnet_port_activity.json | 10 ++------- .../network_tor_activity_to_the_internet.json | 10 ++------- ...l_network_computing_from_the_internet.json | 10 ++------- ...ual_network_computing_to_the_internet.json | 10 ++------- .../prepackaged_rules/null_user_agent.json | 7 +------ .../prepackaged_rules/sqlmap_user_agent.json | 6 ------ ...rvice_bits_connecting_to_the_internet.json | 6 ------ .../windows_burp_ce_activity.json | 6 ------ ...s_certutil_connecting_to_the_internet.json | 6 ------ ...and_prompt_connecting_to_the_internet.json | 6 ------ ...nd_shell_started_by_internet_explorer.json | 7 +------ ...s_command_shell_started_by_powershell.json | 7 +------ ...dows_command_shell_started_by_svchost.json | 5 ----- .../windows_credential_dumping_commands.json | 6 ------ ...dows_credential_dumping_via_imageload.json | 6 ------ ..._credential_dumping_via_registry_save.json | 6 ------ ...ows_data_compression_using_powershell.json | 6 ------ ...fense_evasion_decoding_using_certutil.json | 6 ------ ...asion_or_persistence_via_hidden_files.json | 6 ------ ...ws_defense_evasion_via_filter_manager.json | 6 ------ ...e_evasion_via_windows_event_log_tools.json | 6 ------ ...dows_execution_via_compiled_html_file.json | 6 ------ ...dows_execution_via_connection_manager.json | 6 ------ ...on_via_microsoft_html_application_hta.json | 6 ------ ...dows_execution_via_net_com_assemblies.json | 6 ------ .../windows_execution_via_regsvr32.json | 6 ------ ...ution_via_trusted_developer_utilities.json | 6 ------ ...le_program_connecting_to_the_internet.json | 6 ------ ...dows_image_load_from_a_temp_directory.json | 7 +------ .../windows_indirect_command_execution.json | 6 ------ .../windows_iodine_activity.json | 6 ------ ...agement_instrumentation_wmi_execution.json | 6 ------ ...cation_hta_connecting_to_the_internet.json | 6 ------ .../windows_mimikatz_activity.json | 7 +------ ...isc_lolbin_connecting_to_the_internet.json | 6 ------ ...ommand_activity_by_the_system_account.json | 7 +------ .../windows_net_user_command_activity.json | 7 +------ .../windows_netcat_activity.json | 7 +------ .../windows_netcat_network_activity.json | 7 +------ ...ous_windows_process_using_https_ports.json | 6 ------ .../windows_nmap_activity.json | 7 +------ .../windows_nmap_scan_activity.json | 7 +------ ...dows_payload_obfuscation_via_certutil.json | 6 ------ ...stence_or_priv_escalation_via_hooking.json | 6 ------ ..._persistence_via_application_shimming.json | 6 ------ .../windows_persistence_via_bits_jobs.json | 6 ------ ..._via_modification_of_existing_service.json | 6 ------ ...s_persistence_via_netshell_helper_dll.json | 6 ------ ...powershell_connecting_to_the_internet.json | 6 ------ ...escalation_via_accessibility_features.json | 6 ------ ...rocess_discovery_via_tasklist_command.json | 6 ------ .../windows_process_execution_via_wmi.json | 6 ------ ...ed_by_acrobat_reader_possible_payload.json | 7 +------ ...by_ms_office_program_possible_payload.json | 7 +------ ...s_process_started_by_the_java_runtime.json | 7 +------ .../windows_psexec_activity.json | 6 ------ ...er_program_connecting_to_the_internet.json | 6 ------ .../windows_registry_query_local.json | 6 ------ .../windows_registry_query_network.json | 6 ------ .../windows_remote_management_execution.json | 6 ------ .../windows_scheduled_task_activity.json | 6 ------ ...nterpreter_connecting_to_the_internet.json | 6 ------ ...windows_signed_binary_proxy_execution.json | 6 ------ ...igned_binary_proxy_execution_download.json | 6 ------ ...uspicious_process_started_by_a_script.json | 7 +------ .../windows_whoami_command_activity.json | 7 +------ .../windows_windump_activity.json | 6 ------ .../windows_wireshark_activity.json | 6 ------ 143 files changed, 125 insertions(+), 1046 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index 932f198604557..93b1dfba706c6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -1,17 +1,11 @@ { "description": "403 Response to a POST", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "403 Response to a POST", "query": "http.response.status_code:403 and http.request.method:post", "risk_score": 50, "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index d4c9a40ddb45f..90a3ccebfc494 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -1,17 +1,11 @@ { "description": "405 Response (Method Not Allowed)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "405 Response (Method Not Allowed)", "query": "http.response.status_code:405", "risk_score": 50, "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json index 6231200379732..c75d442b74aa6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json @@ -1,17 +1,11 @@ { "description": "500 Response on Admin page", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "500 Response on Admin page", "query": "url.path:\"/admin/\" and http.response.status_code:500", "risk_score": 50, "rule_id": "054f669c-b065-492e-acd9-15e44fc42380", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 5318d7ab672d6..5a297a43979ac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,19 +1,12 @@ { "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Adding the Hidden File Attribute with via attrib.exe", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", "risk_score": 25, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -46,7 +39,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index e87eea13b09df..92109ca719b63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,19 +1,12 @@ { "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Adobe Hijack Persistence", "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", "risk_score": 25, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index 3d2c08b390efd..fb500a5fd8b09 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -1,19 +1,12 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Audio Capture via PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", "risk_score": 25, "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index 8ad942eb1cc90..2d5df5e42ce94 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -1,19 +1,12 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Audio Capture via SoundRecorder", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", "risk_score": 25, "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index dc28a4015842b..b3b91d66ff205 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -1,19 +1,12 @@ { "description": "Identifies User Account Control (UAC) bypass via eventvwr. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Bypass UAC via Event Viewer", "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", "risk_score": 25, "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index 7d657bb58d3d1..573b5fb9d5f1b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -1,19 +1,12 @@ { "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Bypass UAC via CMSTP", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", "risk_score": 25, "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index 6d2d879f85fb0..81fb4d6111296 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -1,19 +1,12 @@ { "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Bypass UAC via SDCLT", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", "risk_score": 25, "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index 9c717aeaddf22..d490665446440 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,19 +1,12 @@ { "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Clearing Windows Event Logs", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", "risk_score": 25, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index fdcde25ee0dd7..7110a9d8655b6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,19 +1,12 @@ { "description": "Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Delete Volume USN Journal with fsutil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", "risk_score": 25, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index c27efb427a250..7de4da0bf6cbd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,19 +1,12 @@ { "description": "Identifies use of the wbadmin command to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Deleting Backup Catalogs with wbadmin", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", "risk_score": 25, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 9df23ad4ed349..505ada37bfb86 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,19 +1,12 @@ { "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Direct Outbound SMB Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 50, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 3fe0b0c492caf..145ee7551567b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,19 +1,12 @@ { "description": "Identifies use of the netsh command to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Disable Windows Firewall Rules with Netsh", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", "risk_score": 50, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index bd61012573c92..250d7fbabdbac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -1,19 +1,12 @@ { "description": "Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "DLL Search Order Hijack", "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", "risk_score": 50, "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -46,7 +39,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 92404cb250e1c..ed9784a0efb48 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,19 +1,12 @@ { "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Encoding or Decoding Files via CertUtil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", "risk_score": 50, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index e8bffd18724b9..dc790626db5e7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,19 +1,12 @@ { "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Local Scheduled Task Commands", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", "risk_score": 25, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 0133dabf7ce7b..f6902c2642bec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,19 +1,12 @@ { "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Local Service Commands", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", "risk_score": 25, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index 606ad3ce1921d..8ec13379e640f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -1,19 +1,12 @@ { "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Modification of Boot Configuration", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", "risk_score": 75, "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", "severity": "high", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index b7229e28ca889..01fdf3bae06b2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,19 +1,12 @@ { "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "MsBuild Making Network Connections", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 50, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index abc2ed3e3b5a1..4050c690616cb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,22 +1,13 @@ { "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Mshta Making Network Connections", "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ], + "references": ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"], "risk_score": 50, "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -34,7 +25,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index 307301c8f5f9b..b80825b9df8dd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -1,19 +1,12 @@ { "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "MsXsl Making Network Connections", "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index e35843bc9b413..08bb417a2eafe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,20 +1,12 @@ { "description": "Identifies use of the SysInternals tool PsExec to execute commands on a remote host. This is an indication of lateral movement and may detect adversaries.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "PsExec Lateral Movement Command", "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", "risk_score": 50, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", - "tags": [ - "EIA" - ], - "to": "now", + "tags": ["EIA"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index dc40b4225c548..14ed61f8b2c67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,19 +1,12 @@ { "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Suspicious MS Office Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 25, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index 259af2dd6ef0d..e486b51dd7a67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,19 +1,12 @@ { "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Suspicious MS Outlook Child Process", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 25, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index d565e99c29876..4f1f9bed53d27 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -1,19 +1,12 @@ { "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "EQL - Suspicious PDF Reader Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 75, "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", "severity": "high", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index aec578dcbe09c..3a6757af5a822 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,19 +1,12 @@ { "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "System Shells via Services", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", "risk_score": 50, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 055366f58995f..e595d1fd62428 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,19 +1,12 @@ { "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Unusual Network Connection via RunDLL32", "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 25, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index d23cd7cb79376..389a3a9ea7050 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,19 +1,12 @@ { "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Unusual Parent-Child Relationship ", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", "risk_score": 50, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 111090be65901..c57e170fd789e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,19 +1,12 @@ { "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Unusual Process Network Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", "risk_score": 25, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 31681302a4046..8e8f8847ead63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,19 +1,12 @@ { "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "User Account Creation", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", "risk_score": 50, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index c2f4cadc5aa61..4d9b63244877e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -1,19 +1,12 @@ { "description": "Identifies attempts to add a user to an administrative group with the \"net.exe\" command. This is sometimes done by attackers to increase access of a compromised account or create new account.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "User Added to Administrator Group", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", "risk_score": 50, "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", "severity": "medium", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index a1d8309daa922..c90df0a25c462 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,19 +1,12 @@ { "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Volume Shadow Copy Deletion via VssAdmin", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", "risk_score": 75, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "high", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index f3e5e480290db..ed1c70e3f5fa4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,19 +1,12 @@ { "description": "Identifies use of wmic for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Volume Shadow Copy Deletion via WMIC", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", "risk_score": 75, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 4eb259837ed05..d3eeb148477aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,19 +1,12 @@ { "description": "Identifies a PowerShell process launched by either CScript or WScript. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", "risk_score": 50, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index 86997f9e73347..173f9364844ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -1,19 +1,12 @@ { "description": "Identifies use of wmic.exe to run commands on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "WMIC Command Lateral Movement", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", "risk_score": 25, "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", - "tags": [ - "EIA" - ], + "tags": ["EIA"], "threats": [ { "framework": "MITRE ATT&CK", @@ -31,7 +24,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index b42e4130b688c..a1938cd58a11e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Hping Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Hping Activity", "query": "process.name: hping and event.action:executed", "risk_score": 50, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index 1eb66c39571d7..ba516f2963ffd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Iodine Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Iodine Activity", "query": "process.name: (iodine or iodined) and event.action:executed", "risk_score": 50, "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 4a90217a700fb..0a07c03928981 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,15 +1,7 @@ { "description": "Identifies loadable kernel module errors, often indicative of potential persistence attempts.", - "enabled": false, - "false_positives": [ - "Security tools and device drivers may load legitimate kernel modules." - ], - "from": "now-6m", - "immutable": true, - "index": [ - "auditbeat-*" - ], - "interval": "5m", + "false_positives": ["Security tools and device drivers may load legitimate kernel modules."], + "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, "name": "Persistence via Kernel Module Modification", @@ -20,10 +12,7 @@ "risk_score": 25, "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", - "tags": [ - "EIA", - "auditbeat" - ], + "tags": ["EIA", "auditbeat"], "threats": [ { "framework": "MITRE ATT&CK", @@ -41,7 +30,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json index 174e246fa70d9..7f7d19d0ab3e3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json @@ -1,17 +1,11 @@ { "description": "Linux ld.so process activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Linux ld.so process activity", "query": "process.name:ld.so and event.action:executed", "risk_score": 50, "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json index 77953240c2185..e9de8ea90e31e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json @@ -1,17 +1,11 @@ { "description": "Linux lzop activity - possible @JulianRunnels", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Linux lzop activity", "query": "process.name:lzop and event.action:executed", "risk_score": 50, "rule_id": "d7359214-54a4-4572-9e51-ebf79cda9b04", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 0894011520741..4830094d37504 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Mknod Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Mknod Activity", "query": "process.name: mknod and event.action:executed", "risk_score": 50, "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index d324a4f64cbba..b9178be35ee67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,16 +1,11 @@ { "description": "Linux: Netcat Network Connection", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Netcat Network Activity", "query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)", "risk_score": 50, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json index d04f6610f450d..794ef3d538c61 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json @@ -1,17 +1,11 @@ { "description": "Linux Network - Anomalous Process Using HTTP/S Ports", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Linux Network - Anomalous Process Using HTTP/S Ports", "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", "risk_score": 50, "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index cb89fdc6ebbff..ad64fc88b60ee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Nmap Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Nmap Activity", "query": "process.name: nmap", "risk_score": 50, "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index b5508c388059c..37a50c759fc0c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Nping Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Nping Activity", "query": "process.name: nping and event.action:executed", "risk_score": 50, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 945c8acfe00e4..b389cf9453fbb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,15 +1,7 @@ { "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", - "enabled": false, - "false_positives": [ - "Build systems like Jenkins may start processes in the /tmp directory." - ], - "from": "now-6m", - "immutable": true, - "index": [ - "auditbeat-*" - ], - "interval": "5m", + "false_positives": ["Build systems like Jenkins may start processes in the /tmp directory."], + "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, "name": "Unusual Process Execution - Temp", @@ -17,11 +9,7 @@ "risk_score": 25, "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", "severity": "low", - "tags": [ - "EIA", - "auditbeat" - ], - "to": "now", + "tags": ["EIA", "auditbeat"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json index 47ae28cf8ea4c..b524600d4e9f5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Ptrace Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Ptrace Activity", "query": "process.name: ptrace and event.action:executed", "risk_score": 50, "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json index d4924cab7048f..80e2c437852fa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Rawshark Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Rawshark Activity", "query": "process.name: rawshark and event.action:executed", "risk_score": 50, "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index 6c11a2357c21a..f85f8e5f67556 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,30 +1,18 @@ { "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "enabled": false, - "false_positives": [ + "false_positives": [ "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." ], - "filters": [], - "from": "now-6m", - "immutable": true, - "index": [ - "auditbeat-*" - ], - "interval": "5m", + "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, "name": "Linux: Shell Activity By Web Server", "query": "process.name: bash and (user.name: apache or www) and event.action:executed", - "references": [ - "https://pentestlab.blog/tag/web-shell/" - ], + "references": ["https://pentestlab.blog/tag/web-shell/"], "risk_score": 50, "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "severity": "low", - "tags": [ - "EIA", - "auditbeat" - ], + "tags": ["EIA", "auditbeat"], "threats": [ { "framework": "MITRE ATT&CK", @@ -42,7 +30,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index 2ea860e061958..fc175795e44e6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: socat activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Whoami Commmand", "query": "process.name:socat and not process.args:\"-V\" and event.action:executed", "risk_score": 50, "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json index 38562320921b4..3d5b74e56e7b0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -1,10 +1,6 @@ { "description": "Detect ssh processes with the `-R` flag which can be used to forward a port on a local system to the local system so that someone on the remote system can connect to the local system. This is often used by attackers to create encrypted tunnels through firewalls for pivoting and persistence.", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: SSH Port Forwarding", "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", "references": [ @@ -13,7 +9,6 @@ "risk_score": 50, "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index dc0eae38d20c6..17f8c93336c6a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Strace Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Strace Activity", "query": "process.name: strace and event.action:executed", "risk_score": 50, "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index f7b543fef75f5..1110e1ec2619f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,16 +1,11 @@ { "description": "Linux: Tcpdump Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Tcpdump Activity", "query": "process.name: tcpdump and event.action:executed", "risk_score": 50, "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json index 876a3fef7aa09..ec4d52b0295c0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json @@ -1,16 +1,11 @@ { "description": "Linux: Web Download", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Linux: Web Download", "query": "process.name: (curl or wget) and event.action:executed", "risk_score": 50, "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index d3cb259321ca0..146e1b3548408 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,15 +1,9 @@ { "description": "The 'whoami' command was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privlieged access.", - "enabled": false, - "false_positives": [ + "false_positives": [ "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." ], - "from": "now-6m", - "immutable": true, - "index": [ - "auditbeat-*" - ], - "interval": "5m", + "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, "name": "Linux: User Discovery Via The Whoami Commmand", @@ -17,10 +11,7 @@ "risk_score": 50, "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", "severity": "low", - "tags": [ - "EIA", - "auditbeat" - ], + "tags": ["EIA", "auditbeat"], "threats": [ { "framework": "MITRE ATT&CK", @@ -38,7 +29,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 1a3c3c003b532..f36fd508f2398 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - DNS Directly to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - DNS Directly to the Internet", "language": "kuery", - "name": "Network - DNS Directly to the Internet\t", + "name": "Network - DNS Directly to the Internet", "query": "destination.port:53 and not destination.ip: 169.254.169.254/32 and not destination.ip:127.0.0.53/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 99a126f0613ec..866d7a5280b8a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - FTP (File Transfer Protocol) Activity to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - FTP (File Transfer Protocol) Activity to the Internet", "language": "kuery", - "name": "Network - FTP (File Transfer Protocol) Activity to the Internet\t", + "name": "Network - FTP (File Transfer Protocol) Activity to the Internet", "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 79814eb552d5b..5b091e112fc54 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet", "language": "kuery", - "name": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet\t", + "name": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet", "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index d370773e3879f..743c4eb49d644 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,17 +1,11 @@ { - "description": "Network - NAT Traversal Port Activity\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - NAT Traversal Port Activity", "language": "kuery", - "name": "Network - NAT Traversal Port Activity\t", + "name": "Network - NAT Traversal Port Activity", "query": "destination.port:4500", "risk_score": 50, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index cfdb5e6584ee3..16187d1177412 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,17 +1,11 @@ { - "description": "Network - Port 26 Activity\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - Port 26 Activity", "language": "kuery", - "name": "Network - Port 26 Activity\t", + "name": "Network - Port 26 Activity", "query": "destination.port:26", "risk_score": 50, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json index 218109b73221d..4b0f339293e85 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json @@ -1,17 +1,11 @@ { "description": "Network - Port 8000 Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Network - Port 8000 Activity", "query": "destination.port:8000", "risk_score": 50, "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 5eeda8e094bb9..f3eeebf6c4e77 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - Port 8000 Activity to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - Port 8000 Activity to the Internet", "language": "kuery", - "name": "Network - Port 8000 Activity to the Internet\t", + "name": "Network - Port 8000 Activity to the Internet", "query": "destination.port:8000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index 7b83966e18e70..bd5c049292530 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,17 +1,11 @@ { - "description": "Network - PPTP (Point to Point Tunneling Protocol) Activity\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - PPTP (Point to Point Tunneling Protocol) Activity", "language": "kuery", - "name": "Network - PPTP (Point to Point Tunneling Protocol) Activity\t", + "name": "Network - PPTP (Point to Point Tunneling Protocol) Activity", "query": "destination.port:1723", "risk_score": 50, "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index 3a55db4050459..2daebbfc475a2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - Proxy Port Activity to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - Proxy Port Activity to the Internet", "language": "kuery", - "name": "Network - Proxy Port Activity to the Internet\t", + "name": "Network - Proxy Port Activity to the Internet", "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index e5c1e33470fa4..8b933c8f877bb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - RDP (Remote Desktop Protocol) from the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - RDP (Remote Desktop Protocol) from the Internet", "language": "kuery", - "name": "Network - RDP (Remote Desktop Protocol) from the Internet\t", + "name": "Network - RDP (Remote Desktop Protocol) from the Internet", "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index 92316f2bb05da..660badcfb4e6b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - RDP (Remote Desktop Protocol) to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - RDP (Remote Desktop Protocol) to the Internet", "language": "kuery", - "name": "Network - RDP (Remote Desktop Protocol) to the Internet\t", + "name": "Network - RDP (Remote Desktop Protocol) to the Internet", "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 69d6d18ced8b9..953cd2d2df947 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - RPC (Remote Procedure Call) from the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - RPC (Remote Procedure Call) from the Internet", "language": "kuery", - "name": "Network - RPC (Remote Procedure Call) from the Internet\t", + "name": "Network - RPC (Remote Procedure Call) from the Internet", "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 1f9a71bab9244..1cce789d13500 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - RPC (Remote Procedure Call) to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - RPC (Remote Procedure Call) to the Internet", "language": "kuery", - "name": "Network - RPC (Remote Procedure Call) to the Internet\t", + "name": "Network - RPC (Remote Procedure Call) to the Internet", "query": "destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 627a89609cc21..3bce656c26a7f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - SMB (Windows File Sharing) Activity to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - SMB (Windows File Sharing) Activity to the Internet", "language": "kuery", - "name": "Network - SMB (Windows File Sharing) Activity to the Internet\t", + "name": "Network - SMB (Windows File Sharing) Activity to the Internet", "query": "(destination.port:139 or destination.port:445) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index ff5a61cbe00e6..dc456ff97f6f1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - SMTP to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - SMTP to the Internet", "language": "kuery", - "name": "Network - SMTP to the Internet\t", + "name": "Network - SMTP to the Internet", "query": "destination.port:25 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index eeeb93e12938f..5e643579bfeae 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - SQL Server Port Activity to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - SQL Server Port Activity to the Internet", "language": "kuery", - "name": "Network - SQL Server Port Activity to the Internet\t", + "name": "Network - SQL Server Port Activity to the Internet", "query": "destination.port:1433 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index 11f24626fa0c1..54c1bf53bbb98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - SSH (Secure Shell) from the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - SSH (Secure Shell) from the Internet", "language": "kuery", - "name": "Network - SSH (Secure Shell) from the Internet\t", + "name": "Network - SSH (Secure Shell) from the Internet", "query": "destination.port:22 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index ded8c005c4462..1709a9da980fe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - SSH (Secure Shell) to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - SSH (Secure Shell) to the Internet", "language": "kuery", - "name": "Network - SSH (Secure Shell) to the Internet\t", + "name": "Network - SSH (Secure Shell) to the Internet", "query": "destination.port:22 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index a48f311163c2d..750a06f305c2c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,17 +1,11 @@ { - "description": "Network - Telnet Port Activity\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - Telnet Port Activity", "language": "kuery", - "name": "Network - Telnet Port Activity\t", + "name": "Network - Telnet Port Activity", "query": "destination.port:23", "risk_score": 50, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 713cc7da72e57..2d81a84db6d21 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - Tor Activity to the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - Tor Activity to the Internet", "language": "kuery", - "name": "Network - Tor Activity to the Internet\t", + "name": "Network - Tor Activity to the Internet", "query": "(destination.port:9001 or destination.port:9030) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 4f1dba808600e..e82fee8c329a9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - VNC (Virtual Network Computing) From the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - VNC (Virtual Network Computing) From the Internet", "language": "kuery", - "name": "Network - VNC (Virtual Network Computing) From the Internet\t", + "name": "Network - VNC (Virtual Network Computing) From the Internet", "query": "destination.port:5800 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index fd04ae3ae7dee..3ae0bfb631b05 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,17 +1,11 @@ { - "description": "Network - VNC (Virtual Network Computing) To the Internet\t", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "description": "Network - VNC (Virtual Network Computing) To the Internet", "language": "kuery", - "name": "Network - VNC (Virtual Network Computing) To the Internet\t", + "name": "Network - VNC (Virtual Network Computing) To the Internet", "query": "destination.port:5800 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index d563944171b7a..5b593d4ff7954 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,7 +1,6 @@ { "description": "Null user agent", - "enabled": false, - "filters": [ + "filters": [ { "meta": { "alias": null, @@ -20,16 +19,12 @@ } } ], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Null user agent", "query": "url.path: *", "risk_score": 50, "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 48cf20bcbacf7..c0601d72ddd1f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,17 +1,11 @@ { "description": "SQLmap user agent", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "SQLmap user agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", "risk_score": 50, "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json index 301954fc58745..cf35d60d7fd90 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json index 22429df353679..4377942f5fde4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json @@ -1,17 +1,11 @@ { "description": "Windows Burp CE activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Burp CE activity", "query": "process.name:BurpSuiteCommunity.exe", "risk_score": 50, "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json index 6cf9a375586ba..92fdad49e0e18 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Certutil Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Certutil Connecting to the Internet", "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index c404bf7a05c85..ec0623765ee17 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Command Prompt Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Command Prompt Connecting to the Internet", "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json index 1bcad8ae016ef..d70b155d952f0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json @@ -1,16 +1,11 @@ { "description": "Command shell started by Internet Explorer", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Command shell started by Internet Explorer", "query": "process.parent.name:iexplore.exe and process.name:cmd.exe", "risk_score": 50, "rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index faa9694f658ff..1a5d3010175b0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -1,16 +1,11 @@ { "description": "Command shell started by Powershell", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Command shell started by Powershell", "query": "process.parent.name:powershell.exe and process.name:cmd.exe", "risk_score": 50, "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index aa371fea3f01d..fe997f97c7fb6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -1,16 +1,11 @@ { "description": "Command shell started by Svchost", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Command shell started by Svchost", "query": "process.parent.name:svchost.exe and process.name:cmd.exe", "risk_score": 50, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json index dec76deb3e888..ef3180d694de9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json @@ -1,17 +1,11 @@ { "description": "Windows Credential Dumping Commands", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Credential Dumping Commands", "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", "risk_score": 50, "rule_id": "66885745-ea38-432c-9edb-599b943948d4", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json index de3fc49fefa37..920903b288241 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json @@ -1,17 +1,11 @@ { "description": "Windows Credential Dumping via ImageLoad", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Credential Dumping via ImageLoad", "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", "risk_score": 50, "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json index 016f49e22a8f8..452f8010cfd06 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json @@ -1,17 +1,11 @@ { "description": "Windows Credential Dumping via Registry Save", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Credential Dumping via Registry Save", "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", "risk_score": 50, "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json index cf1334eda6778..c53e3242887de 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json @@ -1,17 +1,11 @@ { "description": "Windows Data Compression Using Powershell", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Data Compression Using Powershell", "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", "risk_score": 50, "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json index f718e5effe8ae..b40ae6c66d65f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json @@ -1,17 +1,11 @@ { "description": "Windows Defense Evasion - Decoding Using Certutil", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Defense Evasion - Decoding Using Certutil", "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", "risk_score": 50, "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json index 844a3fc2ac9ec..acef9fcad43ac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json @@ -1,17 +1,11 @@ { "description": "Windows Defense Evasion or Persistence via Hidden Files", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Defense Evasion or Persistence via Hidden Files", "query": "event.code:1 and process.name:attrib.exe and (process.args:\"+h\" or process.args:\"+s\")", "risk_score": 50, "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index b98b0e3f8d0aa..a920679531a04 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,17 +1,11 @@ { "description": "Windows Defense evasion via Filter Manager", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Defense evasion via Filter Manager", "query": "event.code:1 and process.name:fltmc.exe", "risk_score": 50, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json index 2d37fedd30480..863ad02022a51 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json @@ -1,17 +1,11 @@ { "description": "Windows Defense Evasion via Windows Event Log Tools", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Defense Evasion via Windows Event Log Tools", "query": "event.code:1 and process.name:wevtutil.exe", "risk_score": 50, "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 027556b7f2456..477dd00bb5b8f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,17 +1,11 @@ { "description": "Windows Execution via Compiled HTML File", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Execution via Compiled HTML File", "query": "event.code:1 and process.name:hh.exe", "risk_score": 50, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json index 30d2f4e3c8936..99ea8f7569321 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json @@ -1,17 +1,11 @@ { "description": "Windows Execution via Connection Manager", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Execution via Connection Manager", "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", "risk_score": 50, "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json index aa67d2aebe64b..36e8a2ac7d75b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json @@ -1,17 +1,11 @@ { "description": "Windows Execution via Microsoft HTML Application (HTA)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Execution via Microsoft HTML Application (HTA)", "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", "risk_score": 50, "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index 20e0eba610e95..671439a6783cc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,17 +1,11 @@ { "description": "Windows Execution via .NET COM Assemblies", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Execution via .NET COM Assemblies", "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", "risk_score": 50, "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index 9371ec67fcec5..fdafb3363e47b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -1,17 +1,11 @@ { "description": "Windows Execution via Regsvr32", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Execution via Regsvr32", "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", "risk_score": 50, "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index 3153c0d38d2fd..6a22ae59a8afc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,17 +1,11 @@ { "description": "Windows Execution via Trusted Developer Utilities", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Execution via Trusted Developer Utilities", "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", "risk_score": 50, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 4e39ab96840df..785b755994cf4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: HTML Help executable Program Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: HTML Help executable Program Connecting to the Internet", "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json index d00f671c7b606..db36f776e74d0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json @@ -1,7 +1,6 @@ { "description": "Windows image load from a temp directory", - "enabled": false, - "filters": [ + "filters": [ { "$state": { "store": "appState" @@ -28,16 +27,12 @@ } } ], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows image load from a temp directory", "query": "file.path:Temp", "risk_score": 50, "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json index cbde84a5fc858..cc51ff8ed8380 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json @@ -1,17 +1,11 @@ { "description": "Windows Indirect Command Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Indirect Command Execution", "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", "risk_score": 50, "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json index e60c57ebc489a..438dc31a4aa27 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json @@ -1,17 +1,11 @@ { "description": "Windows Iodine activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Iodine activity", "query": "event.code: 1 and process.name:iodine.exe or process.name:iodined.exe", "risk_score": 50, "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json index 378b23825dc82..c6e8633112dc7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json @@ -1,17 +1,11 @@ { "description": "Windows Management Instrumentation (WMI) Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Management Instrumentation (WMI) Execution", "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", "risk_score": 50, "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json index 8b5dffeec67af..262eca177fdc1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json index 1016d2c7af5f2..e0058bd531141 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json @@ -1,16 +1,11 @@ { "description": "Windows Mimikatz activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows Mimikatz activity", "query": "event.code: 1 and process.name:mimikatz.exe", "risk_score": 50, "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index e6d606384d454..004b1837e22fb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Misc LOLBin Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Misc LOLBin Connecting to the Internet", "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json index f8689bb314857..2b846d560beeb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json @@ -1,16 +1,11 @@ { "description": "Windows net command activity by the SYSTEM account", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows net command activity by the SYSTEM account", "query": "process.name: (net.exe or net1.exe) and user.name:SYSTEM", "risk_score": 50, "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json index 6b895f30fd5c4..a7b417807ee7e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json @@ -1,16 +1,11 @@ { "description": "Windows net user command activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows net user command activity", "query": "process.name:net.exe and process.args:user and event.code:1", "risk_score": 50, "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json index 8b105514ec798..36c6abb20ef1a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json @@ -1,16 +1,11 @@ { "description": "Windows Netcat activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows Netcat activity", "query": "process.name:ncat.exe and event.code:1", "risk_score": 50, "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json index c16c91d9637e5..b6a84302df986 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json @@ -1,16 +1,11 @@ { "description": "Windows Netcat network activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows Netcat network activity", "query": "process.name:ncat.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", "risk_score": 50, "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json index a22b12d242414..a35a00aaf5849 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json @@ -1,17 +1,11 @@ { "description": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", "risk_score": 50, "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json index a0c3b5be64d1c..9bfdd316953cb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json @@ -1,16 +1,11 @@ { "description": "Windows nmap activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows nmap activity", "query": "process.name:nmap.exe and event.code:1", "risk_score": 50, "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json index 0195367b6f712..2c9c68b412b58 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json @@ -1,16 +1,11 @@ { "description": "Windows nmap scan activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows nmap scan activity", "query": "process.name:nmap.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", "risk_score": 50, "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json index 421cadfa8a63d..280d6cd499050 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json @@ -1,17 +1,11 @@ { "description": "Windows Payload Obfuscation via Certutil", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Payload Obfuscation via Certutil", "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", "risk_score": 50, "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json index 47de4ba9ff6e7..199774895f1e4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json @@ -1,17 +1,11 @@ { "description": "Windows Persistence or Priv Escalation via Hooking", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Persistence or Priv Escalation via Hooking", "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", "risk_score": 50, "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index c6e558a3be260..507f73352e1aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,17 +1,11 @@ { "description": "Windows Persistence via Application Shimming", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Persistence via Application Shimming", "query": "event.code:1 and process.name:sdbinst.exe", "risk_score": 50, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json index b6d97628f98ec..2544038d52551 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json @@ -1,17 +1,11 @@ { "description": "Windows Persistence via BITS Jobs", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Persistence via BITS Jobs", "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", "risk_score": 50, "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json index 782ce7a6eec92..e74215eb143c2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json @@ -1,17 +1,11 @@ { "description": "Windows Persistence via Modification of Existing Service", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Persistence via Modification of Existing Service", "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", "risk_score": 50, "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json index 19e6ac51158eb..bc3221431357d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json @@ -1,17 +1,11 @@ { "description": "Windows Persistence via Netshell Helper DLL", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Persistence via Netshell Helper DLL", "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", "risk_score": 50, "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json index 50e3d6e0f3874..de6c3e3bdbdbf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Powershell Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Powershell Connecting to the Internet", "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index 96faa2a88e3a6..54c93cdb85037 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,17 +1,11 @@ { "description": "Windows Priv Escalation via Accessibility Features", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Priv Escalation via Accessibility Features", "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", "risk_score": 50, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 572a9ede23e2a..5158c06a11d24 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,17 +1,11 @@ { "description": "Windows Process Discovery via Tasklist Command", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Process Discovery via Tasklist Command", "query": "event.code:1 and process.name:tasklist.exe", "risk_score": 50, "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json index 9e29c82e48872..8a1af4c14d09f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json @@ -1,17 +1,11 @@ { "description": "Process Execution via WMI", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Process Execution via WMI", "query": "process.name:scrcons.exe", "risk_score": 50, "rule_id": "7e6cd4b9-6346-4683-b3e6-6a3e66f3208f", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json index e96c223765cbd..2d835ea295d5f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json @@ -1,16 +1,11 @@ { "description": "Process started by Acrobat reader - possible payload", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Process started by Acrobat reader - possible payload", "query": "process.parent.name:AcroRd32.exe and event.code:1", "risk_score": 50, "rule_id": "b6422896-b6e3-45c3-9d9e-4eccb2a25270", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json index c2e185cd0c7eb..21f403166662f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json @@ -1,16 +1,11 @@ { "description": "Process started by MS Office program - possible payload", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Process started by MS Office program - possible payload", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE and event.code:1", "risk_score": 50, "rule_id": "838dcec6-ce9a-4cdd-9ca8-f6512cf6d559", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json index 6902807cb51d1..6361a3fecab8a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json @@ -1,16 +1,11 @@ { "description": "Windows process started by the Java runtime", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows process started by the Java runtime", "query": "process.parent.name:javaw.exe and event.code:1", "risk_score": 50, "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json index 280f061ed7785..2db053da70b68 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json @@ -1,17 +1,11 @@ { "description": "PSexec activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "PSexec activity", "query": "process.name:PsExec.exe or process.name:PsExec64.exe", "risk_score": 50, "rule_id": "3e61ab8b-0f39-4d2e-ab64-332f0d0b3ad7", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index 563553a24a3e7..4386724ef1b18 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Register Server Program Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Register Server Program Connecting to the Internet", "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json index d9bc00cfbd336..b21edba964f6e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json @@ -1,17 +1,11 @@ { "description": "Windows Registry Query, Local", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Registry Query, Local", "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", "risk_score": 50, "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json index ddf8ff569e35f..3c0ee222d13d9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json @@ -1,17 +1,11 @@ { "description": "Windows Registry Query, Network", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Registry Query, Network", "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", "risk_score": 50, "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json index 0e67b777ac6dc..703aaa39fd224 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json @@ -1,17 +1,11 @@ { "description": "Windows Remote Management Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Remote Management Execution", "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", "risk_score": 50, "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json index 58fd2df8f15ef..4f450cb3108bf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json @@ -1,17 +1,11 @@ { "description": "Windows Scheduled Task Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Scheduled Task Activity", "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", "risk_score": 50, "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json index 41559425538ab..f37927f56ff3a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json @@ -1,17 +1,11 @@ { "description": "Windows: Script Interpreter Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows: Script Interpreter Connecting to the Internet", "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index 64185c784e028..d5da9595ffe7f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -1,17 +1,11 @@ { "description": "Windows Signed Binary Proxy Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Signed Binary Proxy Execution", "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", "risk_score": 50, "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json index b1146f07612f6..443d0cc9f4273 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json @@ -1,17 +1,11 @@ { "description": "Windows Signed Binary Proxy Execution Download", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Signed Binary Proxy Execution Download", "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", "risk_score": 50, "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json index c5a7db434ac38..3c90a1a8d5616 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -1,16 +1,11 @@ { "description": "Suspicious process started by a script", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Suspicious process started by a script", "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1", "risk_score": 50, "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index b13a20518893c..94d1f5d979d2a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,16 +1,11 @@ { "description": "Windows whoami command activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", + "language": "kuery", "name": "Windows whoami command activity", "query": "process.name:whoami.exe and event.code:1", "risk_score": 50, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json index 8fc548b694b02..880a2fc35da00 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json @@ -1,17 +1,11 @@ { "description": "WinDump activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "WinDump activity", "query": "process.name:WinDump.exe", "risk_score": 50, "rule_id": "a342cfcb-8420-46a4-8d85-53edc631e0d6", "severity": "low", - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json index 30ee18fe53557..58b015d2d8ad3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json @@ -1,17 +1,11 @@ { "description": "Windows Wireshark activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows Wireshark activity", "query": "process.name:wireshark.exe", "risk_score": 50, "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", "severity": "low", - "to": "now", "type": "query", "version": 1 } From db1e93c5d9b5026b7fc0b4ce493df4303c0f385c Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 11:47:03 -0700 Subject: [PATCH 3/9] rule clean up --- .../add_prepackaged_rules_schema.test.ts | 87 +------------------ .../schemas/add_prepackaged_rules_schema.ts | 8 +- .../403_response_to_a_post.json | 8 ++ .../405_response_method_not_allowed.json | 8 ++ .../500_response_on_admin_page.json | 8 ++ ...den_file_attribute_with_via_attribexe.json | 8 ++ .../eql_adobe_hijack_persistence.json | 8 ++ .../eql_audio_capture_via_powershell.json | 8 ++ .../eql_audio_capture_via_soundrecorder.json | 8 ++ .../eql_bypass_uac_event_viewer.json | 8 ++ .../eql_bypass_uac_via_cmstp.json | 8 ++ .../eql_bypass_uac_via_sdclt.json | 8 ++ .../eql_clearing_windows_event_logs.json | 8 ++ ...delete_volume_usn_journal_with_fsutil.json | 8 ++ ...deleting_backup_catalogs_with_wbadmin.json | 8 ++ .../eql_direct_outbound_smb_connection.json | 8 ++ ...ble_windows_firewall_rules_with_netsh.json | 8 ++ .../eql_dll_search_order_hijack.json | 8 ++ ...coding_or_decoding_files_via_certutil.json | 8 ++ .../eql_local_scheduled_task_commands.json | 8 ++ .../eql_local_service_commands.json | 8 ++ ...ql_modification_of_boot_configuration.json | 8 ++ ...ql_msbuild_making_network_connections.json | 8 ++ .../eql_mshta_making_network_connections.json | 8 ++ .../eql_msxsl_making_network_connections.json | 8 ++ .../eql_psexec_lateral_movement_command.json | 8 ++ ...ql_suspicious_ms_office_child_process.json | 8 ++ ...l_suspicious_ms_outlook_child_process.json | 8 ++ ...l_suspicious_pdf_reader_child_process.json | 8 ++ .../eql_system_shells_via_services.json | 8 ++ ...usual_network_connection_via_rundll32.json | 8 ++ .../eql_unusual_parentchild_relationship.json | 8 ++ ...ql_unusual_process_network_connection.json | 8 ++ .../eql_user_account_creation.json | 8 ++ ...eql_user_added_to_administrator_group.json | 8 ++ ...ume_shadow_copy_deletion_via_vssadmin.json | 8 ++ ..._volume_shadow_copy_deletion_via_wmic.json | 8 ++ ...l_windows_script_executing_powershell.json | 8 ++ .../eql_wmic_command_lateral_movement.json | 8 ++ .../linux_hping_activity.json | 10 ++- .../linux_iodine_activity.json | 10 ++- .../linux_kernel_module_activity.json | 2 +- .../linux_ldso_process_activity.json | 8 ++ .../linux_lzop_activity.json | 8 ++ .../linux_mknod_activity.json | 10 ++- .../linux_netcat_network_connection.json | 10 ++- ...k_anomalous_process_using_https_ports.json | 8 ++ .../linux_nmap_activity.json | 10 ++- .../linux_nping_activity.json | 10 ++- ...nux_process_started_in_temp_directory.json | 2 +- .../linux_ptrace_activity.json | 10 ++- .../linux_rawshark_activity.json | 10 ++- .../linux_shell_activity_by_web_server.json | 2 +- .../linux_socat_activity.json | 10 ++- .../linux_ssh_forwarding.json | 10 ++- .../linux_strace_activity.json | 10 ++- .../linux_tcpdump_activity.json | 10 ++- .../prepackaged_rules/linux_web_download.json | 10 ++- .../linux_whoami_commmand.json | 3 - .../network_dns_directly_to_the_internet.json | 8 ++ ...fer_protocol_activity_to_the_internet.json | 8 ++ ...hat_protocol_activity_to_the_internet.json | 8 ++ .../network_nat_traversal_port_activity.json | 8 ++ .../network_port_26_activity.json | 8 ++ .../network_port_8000_activity.json | 8 ++ ...rk_port_8000_activity_to_the_internet.json | 8 ++ ..._to_point_tunneling_protocol_activity.json | 8 ++ ...k_proxy_port_activity_to_the_internet.json | 8 ++ ...te_desktop_protocol_from_the_internet.json | 8 ++ ...mote_desktop_protocol_to_the_internet.json | 8 ++ ...mote_procedure_call_from_the_internet.json | 8 ++ ...remote_procedure_call_to_the_internet.json | 8 ++ ...file_sharing_activity_to_the_internet.json | 8 ++ .../network_smtp_to_the_internet.json | 8 ++ ..._server_port_activity_to_the_internet.json | 8 ++ ...rk_ssh_secure_shell_from_the_internet.json | 8 ++ ...work_ssh_secure_shell_to_the_internet.json | 8 ++ .../network_telnet_port_activity.json | 8 ++ .../network_tor_activity_to_the_internet.json | 8 ++ ...l_network_computing_from_the_internet.json | 8 ++ ...ual_network_computing_to_the_internet.json | 8 ++ .../prepackaged_rules/null_user_agent.json | 10 ++- .../prepackaged_rules/sqlmap_user_agent.json | 8 ++ ...rvice_bits_connecting_to_the_internet.json | 8 ++ .../windows_burp_ce_activity.json | 8 ++ ...s_certutil_connecting_to_the_internet.json | 8 ++ ...and_prompt_connecting_to_the_internet.json | 8 ++ ...nd_shell_started_by_internet_explorer.json | 10 ++- ...s_command_shell_started_by_powershell.json | 10 ++- ...dows_command_shell_started_by_svchost.json | 8 ++ .../windows_credential_dumping_commands.json | 8 ++ ...dows_credential_dumping_via_imageload.json | 8 ++ ..._credential_dumping_via_registry_save.json | 8 ++ ...ows_data_compression_using_powershell.json | 8 ++ ...fense_evasion_decoding_using_certutil.json | 8 ++ ...asion_or_persistence_via_hidden_files.json | 8 ++ ...ws_defense_evasion_via_filter_manager.json | 8 ++ ...e_evasion_via_windows_event_log_tools.json | 8 ++ ...dows_execution_via_compiled_html_file.json | 8 ++ ...dows_execution_via_connection_manager.json | 8 ++ ...on_via_microsoft_html_application_hta.json | 8 ++ ...dows_execution_via_net_com_assemblies.json | 8 ++ .../windows_execution_via_regsvr32.json | 8 ++ ...ution_via_trusted_developer_utilities.json | 8 ++ ...le_program_connecting_to_the_internet.json | 8 ++ ...dows_image_load_from_a_temp_directory.json | 10 ++- .../windows_indirect_command_execution.json | 8 ++ .../windows_iodine_activity.json | 8 ++ ...agement_instrumentation_wmi_execution.json | 8 ++ ...cation_hta_connecting_to_the_internet.json | 8 ++ .../windows_mimikatz_activity.json | 10 ++- ...isc_lolbin_connecting_to_the_internet.json | 8 ++ ...ommand_activity_by_the_system_account.json | 10 ++- .../windows_net_user_command_activity.json | 10 ++- .../windows_netcat_activity.json | 10 ++- .../windows_netcat_network_activity.json | 10 ++- ...ous_windows_process_using_https_ports.json | 8 ++ .../windows_nmap_activity.json | 10 ++- .../windows_nmap_scan_activity.json | 10 ++- ...dows_payload_obfuscation_via_certutil.json | 8 ++ ...stence_or_priv_escalation_via_hooking.json | 8 ++ ..._persistence_via_application_shimming.json | 8 ++ .../windows_persistence_via_bits_jobs.json | 8 ++ ..._via_modification_of_existing_service.json | 8 ++ ...s_persistence_via_netshell_helper_dll.json | 8 ++ ...powershell_connecting_to_the_internet.json | 8 ++ ...escalation_via_accessibility_features.json | 8 ++ ...rocess_discovery_via_tasklist_command.json | 8 ++ .../windows_process_execution_via_wmi.json | 8 ++ ...ed_by_acrobat_reader_possible_payload.json | 10 ++- ...by_ms_office_program_possible_payload.json | 10 ++- ...s_process_started_by_the_java_runtime.json | 10 ++- .../windows_psexec_activity.json | 8 ++ ...er_program_connecting_to_the_internet.json | 8 ++ .../windows_registry_query_local.json | 8 ++ .../windows_registry_query_network.json | 8 ++ .../windows_remote_management_execution.json | 8 ++ .../windows_scheduled_task_activity.json | 8 ++ ...nterpreter_connecting_to_the_internet.json | 8 ++ ...windows_signed_binary_proxy_execution.json | 8 ++ ...igned_binary_proxy_execution_download.json | 8 ++ ...uspicious_process_started_by_a_script.json | 10 ++- .../windows_whoami_command_activity.json | 10 ++- .../windows_windump_activity.json | 8 ++ .../windows_wireshark_activity.json | 8 ++ 145 files changed, 1153 insertions(+), 121 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts index c3f7bb0136ec6..c8c25f489bf79 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts @@ -342,28 +342,7 @@ describe('add prepackaged rules schema', () => { ).toEqual(true); }); - test('immutable cannot be false', () => { - expect( - addPrepackagedRulesSchema.validate>({ - rule_id: 'rule-1', - risk_score: 50, - description: 'some description', - from: 'now-5m', - to: 'now', - index: ['index-1'], - immutable: false, - name: 'some-name', - severity: 'low', - interval: '5m', - type: 'query', - query: 'some-query', - language: 'kuery', - version: 1, - }).error.message - ).toEqual('child "immutable" fails because ["immutable" must be one of [true]]'); - }); - - test('immutable can be true', () => { + test('immutable cannot be set in a pre-packaged rule', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -380,8 +359,8 @@ describe('add prepackaged rules schema', () => { query: 'some-query', language: 'kuery', version: 1, - }).error - ).toBeFalsy(); + }).error.message + ).toEqual('child "immutable" fails because ["immutable" is not allowed]'); }); test('defaults enabled to false', () => { @@ -937,54 +916,6 @@ describe('add prepackaged rules schema', () => { ); }); - test('You can optionally set the immutable to be true', () => { - expect( - addPrepackagedRulesSchema.validate>({ - rule_id: 'rule-1', - risk_score: 50, - description: 'some description', - from: 'now-5m', - to: 'now', - immutable: true, - index: ['index-1'], - name: 'some-name', - severity: 'low', - interval: '5m', - type: 'query', - references: ['index-1'], - query: 'some query', - language: 'kuery', - max_signals: 1, - version: 1, - }).error - ).toBeFalsy(); - }); - - test('You cannot set the immutable to be a number', () => { - expect( - addPrepackagedRulesSchema.validate< - Partial> & { immutable: number } - >({ - rule_id: 'rule-1', - risk_score: 50, - description: 'some description', - from: 'now-5m', - to: 'now', - immutable: 5, - index: ['index-1'], - name: 'some-name', - severity: 'low', - interval: '5m', - type: 'query', - references: ['index-1'], - query: 'some query', - language: 'kuery', - max_signals: 1, - version: 1, - }).error.message - ).toEqual('child "immutable" fails because ["immutable" must be a boolean]'); - }); - test('You cannot set the risk_score to 101', () => { expect( addPrepackagedRulesSchema.validate>({ @@ -993,7 +924,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1016,7 +946,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1039,7 +968,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1062,7 +990,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1085,7 +1012,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1113,7 +1039,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1137,7 +1062,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1183,7 +1107,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1207,7 +1130,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1232,7 +1154,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1257,7 +1178,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1282,7 +1202,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts index d254f83243491..240021d40ddc4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts @@ -42,9 +42,10 @@ import { DEFAULT_MAX_SIGNALS } from '../../../../../common/constants'; * Big differences between this schema and the createRulesSchema * - rule_id is required here * - output_index is not allowed (and instead the space index must be used) - * - immutable defaults to true instead of to false and if it is there can only be true + * - immutable is forbidden but defaults to true instead of to false and it can only ever be true * - enabled defaults to false instead of true * - version is a required field that must exist + * - index is a required field that must exist */ export const addPrepackagedRulesSchema = Joi.object({ description: description.required(), @@ -53,7 +54,10 @@ export const addPrepackagedRulesSchema = Joi.object({ filters, from: from.default('now-6m'), rule_id: rule_id.required(), - immutable: immutable.default(true).valid(true), + immutable: immutable + .forbidden() + .default(true) + .valid(true), index, interval: interval.default('5m'), query: query.allow('').default(''), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index 93b1dfba706c6..501abf1dc443a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -1,5 +1,13 @@ { "description": "403 Response to a POST", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "403 Response to a POST", "query": "http.response.status_code:403 and http.request.method:post", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index 90a3ccebfc494..1c66795b0d0e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -1,5 +1,13 @@ { "description": "405 Response (Method Not Allowed)", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "405 Response (Method Not Allowed)", "query": "http.response.status_code:405", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json index c75d442b74aa6..d9f4b6ad709af 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json @@ -1,5 +1,13 @@ { "description": "500 Response on Admin page", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "500 Response on Admin page", "query": "url.path:\"/admin/\" and http.response.status_code:500", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 5a297a43979ac..8545138eb416c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,5 +1,13 @@ { "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Adding the Hidden File Attribute with via attrib.exe", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 92109ca719b63..ce7fac0f8665f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,5 +1,13 @@ { "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Adobe Hijack Persistence", "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index fb500a5fd8b09..761202b4f858d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -1,5 +1,13 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Audio Capture via PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index 2d5df5e42ce94..3abe704626096 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -1,5 +1,13 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Audio Capture via SoundRecorder", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index b3b91d66ff205..4192622c90fbb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -1,5 +1,13 @@ { "description": "Identifies User Account Control (UAC) bypass via eventvwr. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Bypass UAC via Event Viewer", "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index 573b5fb9d5f1b..af92f22db98e7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -1,5 +1,13 @@ { "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Bypass UAC via CMSTP", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index 81fb4d6111296..cc68744f2aeae 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -1,5 +1,13 @@ { "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Bypass UAC via SDCLT", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index d490665446440..710139d3f6a7f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,5 +1,13 @@ { "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Clearing Windows Event Logs", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 7110a9d8655b6..31bdef69cdefe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,5 +1,13 @@ { "description": "Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Delete Volume USN Journal with fsutil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 7de4da0bf6cbd..ade4d454433f2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,5 +1,13 @@ { "description": "Identifies use of the wbadmin command to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Deleting Backup Catalogs with wbadmin", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 505ada37bfb86..6be42fc6343bc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,5 +1,13 @@ { "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Direct Outbound SMB Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 145ee7551567b..36ca0d7802866 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,5 +1,13 @@ { "description": "Identifies use of the netsh command to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Disable Windows Firewall Rules with Netsh", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index 250d7fbabdbac..78637e4b6a169 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -1,5 +1,13 @@ { "description": "Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "DLL Search Order Hijack", "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index ed9784a0efb48..2e28dc4b5c118 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,5 +1,13 @@ { "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Encoding or Decoding Files via CertUtil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index dc790626db5e7..46d20a8591119 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,5 +1,13 @@ { "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Local Scheduled Task Commands", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index f6902c2642bec..9c38f13ed9187 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,5 +1,13 @@ { "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Local Service Commands", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index 8ec13379e640f..6e2a43c502fb4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -1,5 +1,13 @@ { "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Modification of Boot Configuration", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 01fdf3bae06b2..32a3d8d47d917 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,5 +1,13 @@ { "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "MsBuild Making Network Connections", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 4050c690616cb..d86632f739534 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,5 +1,13 @@ { "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Mshta Making Network Connections", "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index b80825b9df8dd..6b86c5c487284 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -1,5 +1,13 @@ { "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "MsXsl Making Network Connections", "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index 08bb417a2eafe..a5716db2bef28 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,5 +1,13 @@ { "description": "Identifies use of the SysInternals tool PsExec to execute commands on a remote host. This is an indication of lateral movement and may detect adversaries.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "PsExec Lateral Movement Command", "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 14ed61f8b2c67..321c09fe9d6c9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,5 +1,13 @@ { "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Suspicious MS Office Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index e486b51dd7a67..ea95faca9d662 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,5 +1,13 @@ { "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Suspicious MS Outlook Child Process", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 4f1f9bed53d27..400ae25e9caa2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -1,5 +1,13 @@ { "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "EQL - Suspicious PDF Reader Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 3a6757af5a822..5310c8f503b01 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,5 +1,13 @@ { "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "System Shells via Services", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index e595d1fd62428..fc09b677b56c4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,5 +1,13 @@ { "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Unusual Network Connection via RunDLL32", "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 389a3a9ea7050..fdea18d47f263 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,5 +1,13 @@ { "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Unusual Parent-Child Relationship ", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index c57e170fd789e..3322e275a0a47 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,5 +1,13 @@ { "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Unusual Process Network Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 8e8f8847ead63..bc231a3eed0c1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,5 +1,13 @@ { "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "User Account Creation", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index 4d9b63244877e..74383a2491f4c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -1,5 +1,13 @@ { "description": "Identifies attempts to add a user to an administrative group with the \"net.exe\" command. This is sometimes done by attackers to increase access of a compromised account or create new account.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "User Added to Administrator Group", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index c90df0a25c462..7cb013fd9ce21 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,5 +1,13 @@ { "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Volume Shadow Copy Deletion via VssAdmin", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index ed1c70e3f5fa4..bbf29ec778d9c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,5 +1,13 @@ { "description": "Identifies use of wmic for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Volume Shadow Copy Deletion via WMIC", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index d3eeb148477aa..73c4f95cb70a2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,5 +1,13 @@ { "description": "Identifies a PowerShell process launched by either CScript or WScript. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index 173f9364844ce..df0c6eec8c370 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -1,5 +1,13 @@ { "description": "Identifies use of wmic.exe to run commands on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "WMIC Command Lateral Movement", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index a1938cd58a11e..27a27ef9b8b58 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Hping Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Hping Activity", "query": "process.name: hping and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index ba516f2963ffd..5be17f5311894 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Iodine Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Iodine Activity", "query": "process.name: (iodine or iodined) and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 0a07c03928981..5a7181793705a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,6 +1,6 @@ { "description": "Identifies loadable kernel module errors, often indicative of potential persistence attempts.", - "false_positives": ["Security tools and device drivers may load legitimate kernel modules."], + "false_positives": ["Security tools and device drivers may load legitimate kernel modules."], "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json index 7f7d19d0ab3e3..b2f572c6c7d0c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json @@ -1,5 +1,13 @@ { "description": "Linux ld.so process activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux ld.so process activity", "query": "process.name:ld.so and event.action:executed", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json index e9de8ea90e31e..bea3257137ed0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json @@ -1,5 +1,13 @@ { "description": "Linux lzop activity - possible @JulianRunnels", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux lzop activity", "query": "process.name:lzop and event.action:executed", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 4830094d37504..3dd0ada617a6f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Mknod Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Mknod Activity", "query": "process.name: mknod and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index b9178be35ee67..d1c3aadd97eed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,6 +1,14 @@ { "description": "Linux: Netcat Network Connection", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Netcat Network Activity", "query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json index 794ef3d538c61..0b1527104dc35 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json @@ -1,5 +1,13 @@ { "description": "Linux Network - Anomalous Process Using HTTP/S Ports", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux Network - Anomalous Process Using HTTP/S Ports", "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index ad64fc88b60ee..786f3cc937ec0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Nmap Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Nmap Activity", "query": "process.name: nmap", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index 37a50c759fc0c..c66f8ecab2952 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Nping Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Nping Activity", "query": "process.name: nping and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index b389cf9453fbb..c30d21d30649a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,6 +1,6 @@ { "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", - "false_positives": ["Build systems like Jenkins may start processes in the /tmp directory."], + "false_positives": ["Build systems like Jenkins may start processes in the /tmp directory."], "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json index b524600d4e9f5..779b2c831cbdc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Ptrace Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Ptrace Activity", "query": "process.name: ptrace and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json index 80e2c437852fa..7a4ea90f7aea2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Rawshark Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Rawshark Activity", "query": "process.name: rawshark and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index f85f8e5f67556..779719cd05445 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,6 +1,6 @@ { "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "false_positives": [ + "false_positives": [ "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." ], "index": ["auditbeat-*"], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index fc175795e44e6..f9934b2764249 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: socat activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Whoami Commmand", "query": "process.name:socat and not process.args:\"-V\" and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json index 3d5b74e56e7b0..2c916019b518e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -1,6 +1,14 @@ { "description": "Detect ssh processes with the `-R` flag which can be used to forward a port on a local system to the local system so that someone on the remote system can connect to the local system. This is often used by attackers to create encrypted tunnels through firewalls for pivoting and persistence.", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: SSH Port Forwarding", "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 17f8c93336c6a..3a43607cddde6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Strace Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Strace Activity", "query": "process.name: strace and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 1110e1ec2619f..4803c88be292a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,6 +1,14 @@ { "description": "Linux: Tcpdump Activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Tcpdump Activity", "query": "process.name: tcpdump and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json index ec4d52b0295c0..893ef5ef58e18 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json @@ -1,6 +1,14 @@ { "description": "Linux: Web Download", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Linux: Web Download", "query": "process.name: (curl or wget) and event.action:executed", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 146e1b3548408..6f05a3c01cf1b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,8 +1,5 @@ { "description": "The 'whoami' command was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privlieged access.", - "false_positives": [ - "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." - ], "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index f36fd508f2398..245e58305ae1b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - DNS Directly to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - DNS Directly to the Internet", "query": "destination.port:53 and not destination.ip: 169.254.169.254/32 and not destination.ip:127.0.0.53/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 866d7a5280b8a..694dcb4610a57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - FTP (File Transfer Protocol) Activity to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - FTP (File Transfer Protocol) Activity to the Internet", "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 5b091e112fc54..175aefa3eff6e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - IRC (Internet Relay Chat) Protocol Activity to the Internet", "query": "(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index 743c4eb49d644..0797c8ba7f683 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,5 +1,13 @@ { "description": "Network - NAT Traversal Port Activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - NAT Traversal Port Activity", "query": "destination.port:4500", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index 16187d1177412..c722cb60eb1a4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,5 +1,13 @@ { "description": "Network - Port 26 Activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - Port 26 Activity", "query": "destination.port:26", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json index 4b0f339293e85..2744d022f1402 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json @@ -1,5 +1,13 @@ { "description": "Network - Port 8000 Activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - Port 8000 Activity", "query": "destination.port:8000", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index f3eeebf6c4e77..7a5c32cab020d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - Port 8000 Activity to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - Port 8000 Activity to the Internet", "query": "destination.port:8000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index bd5c049292530..e91a4e9a0b721 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,5 +1,13 @@ { "description": "Network - PPTP (Point to Point Tunneling Protocol) Activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - PPTP (Point to Point Tunneling Protocol) Activity", "query": "destination.port:1723", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index 2daebbfc475a2..5c20688d61a44 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - Proxy Port Activity to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - Proxy Port Activity to the Internet", "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index 8b933c8f877bb..ef20955709929 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - RDP (Remote Desktop Protocol) from the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - RDP (Remote Desktop Protocol) from the Internet", "query": "(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index 660badcfb4e6b..927aa29ba7b3f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - RDP (Remote Desktop Protocol) to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - RDP (Remote Desktop Protocol) to the Internet", "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 953cd2d2df947..bdf2f26fb23b6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - RPC (Remote Procedure Call) from the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - RPC (Remote Procedure Call) from the Internet", "query": "destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 1cce789d13500..1df6794a4c254 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - RPC (Remote Procedure Call) to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - RPC (Remote Procedure Call) to the Internet", "query": "destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 3bce656c26a7f..c8f2a4eac5d79 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - SMB (Windows File Sharing) Activity to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - SMB (Windows File Sharing) Activity to the Internet", "query": "(destination.port:139 or destination.port:445) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index dc456ff97f6f1..3f139a5b0c486 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - SMTP to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - SMTP to the Internet", "query": "destination.port:25 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index 5e643579bfeae..4db4bcb032c4f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - SQL Server Port Activity to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - SQL Server Port Activity to the Internet", "query": "destination.port:1433 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index 54c1bf53bbb98..f512fa055e283 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - SSH (Secure Shell) from the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - SSH (Secure Shell) from the Internet", "query": "destination.port:22 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index 1709a9da980fe..20a7f7f199fe5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - SSH (Secure Shell) to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - SSH (Secure Shell) to the Internet", "query": "destination.port:22 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 750a06f305c2c..40ea182bf198f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,5 +1,13 @@ { "description": "Network - Telnet Port Activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - Telnet Port Activity", "query": "destination.port:23", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 2d81a84db6d21..1781a38d73c8f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - Tor Activity to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - Tor Activity to the Internet", "query": "(destination.port:9001 or destination.port:9030) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index e82fee8c329a9..763689ee37776 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - VNC (Virtual Network Computing) From the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - VNC (Virtual Network Computing) From the Internet", "query": "destination.port:5800 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 3ae0bfb631b05..dad9dac2a4eda 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Network - VNC (Virtual Network Computing) To the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - VNC (Virtual Network Computing) To the Internet", "query": "destination.port:5800 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 5b593d4ff7954..b69e1cde5ed62 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,6 +1,14 @@ { "description": "Null user agent", - "filters": [ + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "filters": [ { "meta": { "alias": null, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index c0601d72ddd1f..e9944b8792be6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,5 +1,13 @@ { "description": "SQLmap user agent", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SQLmap user agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json index cf35d60d7fd90..574f40496bc2d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json index 4377942f5fde4..8202b248a9956 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json @@ -1,5 +1,13 @@ { "description": "Windows Burp CE activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Burp CE activity", "query": "process.name:BurpSuiteCommunity.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json index 92fdad49e0e18..4222370c2dcad 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Certutil Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Certutil Connecting to the Internet", "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index ec0623765ee17..3c01d7d12afd3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Command Prompt Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Command Prompt Connecting to the Internet", "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json index d70b155d952f0..671277e3dceb7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json @@ -1,6 +1,14 @@ { "description": "Command shell started by Internet Explorer", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Command shell started by Internet Explorer", "query": "process.parent.name:iexplore.exe and process.name:cmd.exe", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index 1a5d3010175b0..386e429de76a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -1,6 +1,14 @@ { "description": "Command shell started by Powershell", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Command shell started by Powershell", "query": "process.parent.name:powershell.exe and process.name:cmd.exe", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index fe997f97c7fb6..2fd16c3186d1e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -1,5 +1,13 @@ { "description": "Command shell started by Svchost", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Command shell started by Svchost", "query": "process.parent.name:svchost.exe and process.name:cmd.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json index ef3180d694de9..82e212f018ad8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json @@ -1,5 +1,13 @@ { "description": "Windows Credential Dumping Commands", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Credential Dumping Commands", "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json index 920903b288241..3bf85c3592fb7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json @@ -1,5 +1,13 @@ { "description": "Windows Credential Dumping via ImageLoad", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Credential Dumping via ImageLoad", "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json index 452f8010cfd06..70badf1eaa265 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json @@ -1,5 +1,13 @@ { "description": "Windows Credential Dumping via Registry Save", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Credential Dumping via Registry Save", "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json index c53e3242887de..e72805bd54629 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json @@ -1,5 +1,13 @@ { "description": "Windows Data Compression Using Powershell", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Data Compression Using Powershell", "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json index b40ae6c66d65f..6b0f86fee3037 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json @@ -1,5 +1,13 @@ { "description": "Windows Defense Evasion - Decoding Using Certutil", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense Evasion - Decoding Using Certutil", "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json index acef9fcad43ac..bf298cd2ade88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json @@ -1,5 +1,13 @@ { "description": "Windows Defense Evasion or Persistence via Hidden Files", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense Evasion or Persistence via Hidden Files", "query": "event.code:1 and process.name:attrib.exe and (process.args:\"+h\" or process.args:\"+s\")", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index a920679531a04..027c06cb85bd9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,5 +1,13 @@ { "description": "Windows Defense evasion via Filter Manager", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense evasion via Filter Manager", "query": "event.code:1 and process.name:fltmc.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json index 863ad02022a51..d4818b89a3b21 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json @@ -1,5 +1,13 @@ { "description": "Windows Defense Evasion via Windows Event Log Tools", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense Evasion via Windows Event Log Tools", "query": "event.code:1 and process.name:wevtutil.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 477dd00bb5b8f..b5a959339baa0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,5 +1,13 @@ { "description": "Windows Execution via Compiled HTML File", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Compiled HTML File", "query": "event.code:1 and process.name:hh.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json index 99ea8f7569321..00f7e9078bfe3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json @@ -1,5 +1,13 @@ { "description": "Windows Execution via Connection Manager", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Connection Manager", "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json index 36e8a2ac7d75b..5166efa9d4e98 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json @@ -1,5 +1,13 @@ { "description": "Windows Execution via Microsoft HTML Application (HTA)", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Microsoft HTML Application (HTA)", "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index 671439a6783cc..fb80c1e21feab 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,5 +1,13 @@ { "description": "Windows Execution via .NET COM Assemblies", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via .NET COM Assemblies", "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index fdafb3363e47b..370bc1cfff6cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -1,5 +1,13 @@ { "description": "Windows Execution via Regsvr32", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Regsvr32", "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index 6a22ae59a8afc..296d0b09b56ff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,5 +1,13 @@ { "description": "Windows Execution via Trusted Developer Utilities", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Trusted Developer Utilities", "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 785b755994cf4..e09c2d0ef8bbd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: HTML Help executable Program Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: HTML Help executable Program Connecting to the Internet", "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json index db36f776e74d0..793bf4416f631 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json @@ -1,6 +1,14 @@ { "description": "Windows image load from a temp directory", - "filters": [ + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "filters": [ { "$state": { "store": "appState" diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json index cc51ff8ed8380..64b62b3135dd4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json @@ -1,5 +1,13 @@ { "description": "Windows Indirect Command Execution", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Indirect Command Execution", "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json index 438dc31a4aa27..17dab9b0ac65a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json @@ -1,5 +1,13 @@ { "description": "Windows Iodine activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Iodine activity", "query": "event.code: 1 and process.name:iodine.exe or process.name:iodined.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json index c6e8633112dc7..6436a7e163672 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json @@ -1,5 +1,13 @@ { "description": "Windows Management Instrumentation (WMI) Execution", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Management Instrumentation (WMI) Execution", "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json index 262eca177fdc1..7efeca17368a3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json index e0058bd531141..3f83cb6184b16 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json @@ -1,6 +1,14 @@ { "description": "Windows Mimikatz activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows Mimikatz activity", "query": "event.code: 1 and process.name:mimikatz.exe", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index 004b1837e22fb..f56c7e9fd22ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Misc LOLBin Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Misc LOLBin Connecting to the Internet", "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json index 2b846d560beeb..750d1a3b5fdac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json @@ -1,6 +1,14 @@ { "description": "Windows net command activity by the SYSTEM account", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows net command activity by the SYSTEM account", "query": "process.name: (net.exe or net1.exe) and user.name:SYSTEM", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json index a7b417807ee7e..fcfe675c55c19 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json @@ -1,6 +1,14 @@ { "description": "Windows net user command activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows net user command activity", "query": "process.name:net.exe and process.args:user and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json index 36c6abb20ef1a..6ae39cbf95767 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json @@ -1,6 +1,14 @@ { "description": "Windows Netcat activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows Netcat activity", "query": "process.name:ncat.exe and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json index b6a84302df986..4fea22bd6fd13 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json @@ -1,6 +1,14 @@ { "description": "Windows Netcat network activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows Netcat network activity", "query": "process.name:ncat.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json index a35a00aaf5849..e5ca52ebe9eec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json @@ -1,5 +1,13 @@ { "description": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json index 9bfdd316953cb..d1ef7210804a7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json @@ -1,6 +1,14 @@ { "description": "Windows nmap activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows nmap activity", "query": "process.name:nmap.exe and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json index 2c9c68b412b58..b0a170d67f98b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json @@ -1,6 +1,14 @@ { "description": "Windows nmap scan activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows nmap scan activity", "query": "process.name:nmap.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json index 280d6cd499050..9de97cd34036d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json @@ -1,5 +1,13 @@ { "description": "Windows Payload Obfuscation via Certutil", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Payload Obfuscation via Certutil", "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json index 199774895f1e4..e837190667722 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json @@ -1,5 +1,13 @@ { "description": "Windows Persistence or Priv Escalation via Hooking", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence or Priv Escalation via Hooking", "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index 507f73352e1aa..531f4231fd6ea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,5 +1,13 @@ { "description": "Windows Persistence via Application Shimming", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via Application Shimming", "query": "event.code:1 and process.name:sdbinst.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json index 2544038d52551..f892a437f7912 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json @@ -1,5 +1,13 @@ { "description": "Windows Persistence via BITS Jobs", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via BITS Jobs", "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json index e74215eb143c2..71c66296e8431 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json @@ -1,5 +1,13 @@ { "description": "Windows Persistence via Modification of Existing Service", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via Modification of Existing Service", "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json index bc3221431357d..7f36aaf96f588 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json @@ -1,5 +1,13 @@ { "description": "Windows Persistence via Netshell Helper DLL", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via Netshell Helper DLL", "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json index de6c3e3bdbdbf..6a9b6e343a6da 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Powershell Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Powershell Connecting to the Internet", "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index 54c93cdb85037..753038e3134d9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,5 +1,13 @@ { "description": "Windows Priv Escalation via Accessibility Features", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Priv Escalation via Accessibility Features", "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 5158c06a11d24..9e952233c3ac9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,5 +1,13 @@ { "description": "Windows Process Discovery via Tasklist Command", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Process Discovery via Tasklist Command", "query": "event.code:1 and process.name:tasklist.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json index 8a1af4c14d09f..febf68c7523f6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json @@ -1,5 +1,13 @@ { "description": "Process Execution via WMI", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Process Execution via WMI", "query": "process.name:scrcons.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json index 2d835ea295d5f..ae9c23409f99e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json @@ -1,6 +1,14 @@ { "description": "Process started by Acrobat reader - possible payload", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Process started by Acrobat reader - possible payload", "query": "process.parent.name:AcroRd32.exe and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json index 21f403166662f..fbc6f2a54de9d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json @@ -1,6 +1,14 @@ { "description": "Process started by MS Office program - possible payload", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Process started by MS Office program - possible payload", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json index 6361a3fecab8a..77974c687b4e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json @@ -1,6 +1,14 @@ { "description": "Windows process started by the Java runtime", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows process started by the Java runtime", "query": "process.parent.name:javaw.exe and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json index 2db053da70b68..6314850572b47 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json @@ -1,5 +1,13 @@ { "description": "PSexec activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "PSexec activity", "query": "process.name:PsExec.exe or process.name:PsExec64.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index 4386724ef1b18..65b0deb30716d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Register Server Program Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Register Server Program Connecting to the Internet", "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json index b21edba964f6e..2f08a68fec577 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json @@ -1,5 +1,13 @@ { "description": "Windows Registry Query, Local", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Registry Query, Local", "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json index 3c0ee222d13d9..9172398151ed3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json @@ -1,5 +1,13 @@ { "description": "Windows Registry Query, Network", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Registry Query, Network", "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json index 703aaa39fd224..b6ab642a2cb30 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json @@ -1,5 +1,13 @@ { "description": "Windows Remote Management Execution", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Remote Management Execution", "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json index 4f450cb3108bf..ade47d2a70e06 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json @@ -1,5 +1,13 @@ { "description": "Windows Scheduled Task Activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Scheduled Task Activity", "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json index f37927f56ff3a..27dcd02356440 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "Windows: Script Interpreter Connecting to the Internet", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Script Interpreter Connecting to the Internet", "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index d5da9595ffe7f..6638ac5ad4206 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -1,5 +1,13 @@ { "description": "Windows Signed Binary Proxy Execution", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Signed Binary Proxy Execution", "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json index 443d0cc9f4273..f342425c7dbd0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json @@ -1,5 +1,13 @@ { "description": "Windows Signed Binary Proxy Execution Download", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Signed Binary Proxy Execution Download", "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json index 3c90a1a8d5616..4cb62186ab3f4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -1,6 +1,14 @@ { "description": "Suspicious process started by a script", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Suspicious process started by a script", "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index 94d1f5d979d2a..f4c9e2af2ff64 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,6 +1,14 @@ { "description": "Windows whoami command activity", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], + "language": "kuery", "name": "Windows whoami command activity", "query": "process.name:whoami.exe and event.code:1", "risk_score": 50, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json index 880a2fc35da00..ebafb8a416505 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json @@ -1,5 +1,13 @@ { "description": "WinDump activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "WinDump activity", "query": "process.name:WinDump.exe", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json index 58b015d2d8ad3..833b3d99bb2e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json @@ -1,5 +1,13 @@ { "description": "Windows Wireshark activity", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Wireshark activity", "query": "process.name:wireshark.exe", From 771579aaa0ac76228e486c8a99b0c7ff40abe446 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 15:16:53 -0700 Subject: [PATCH 4/9] Fixed import issue where you could flip the flags on import --- .../schemas/import_rules_schema.test.ts | 41 +++++++++++++++---- .../routes/schemas/import_rules_schema.ts | 2 +- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts index f2d7c7f483b79..f761ba6198e74 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts @@ -857,7 +857,7 @@ describe('import rules schema', () => { ); }); - test('You can optionally set the immutable to be true', () => { + test('You can optionally set the immutable to be false', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -866,7 +866,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -880,6 +880,29 @@ describe('import rules schema', () => { ).toBeFalsy(); }); + test('You cannnot set immutable to be true', () => { + expect( + importRulesSchema.validate>({ + rule_id: 'rule-1', + output_index: '.siem-signals', + risk_score: 50, + description: 'some description', + from: 'now-5m', + to: 'now', + immutable: true, + index: ['index-1'], + name: 'some-name', + severity: 'low', + interval: '5m', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + }).error.message + ).toEqual('child "immutable" fails because ["immutable" must be one of [false]]'); + }); + test('You cannot set the immutable to be a number', () => { expect( importRulesSchema.validate< @@ -914,7 +937,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -937,7 +960,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -960,7 +983,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -983,7 +1006,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1006,7 +1029,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1032,7 +1055,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1056,7 +1079,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts index 8516585a2c055..672eb43d51773 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts @@ -61,7 +61,7 @@ export const importRulesSchema = Joi.object({ filters, from: from.default('now-6m'), rule_id: rule_id.required(), - immutable: immutable.default(false), + immutable: immutable.default(false).valid(false), index, interval: interval.default('5m'), query: query.allow('').default(''), From bd84a088440cf3d4455c7084a0680c0f6c4f8713 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 19:01:03 -0700 Subject: [PATCH 5/9] Updated json to have techniques be technique from conflict resolution --- .../rules/prepackaged_rules/linux_ssh_forwarding.json | 2 +- .../rules/prepackaged_rules/linux_tcpdump_activity.json | 4 ++-- .../network_dns_directly_to_the_internet.json | 2 +- ...k_ftp_file_transfer_protocol_activity_to_the_internet.json | 4 ++-- ...internet_relay_chat_protocol_activity_to_the_internet.json | 4 ++-- .../network_nat_traversal_port_activity.json | 2 +- .../rules/prepackaged_rules/network_port_26_activity.json | 4 ++-- .../network_port_8000_activity_to_the_internet.json | 2 +- .../network_proxy_port_activity_to_the_internet.json | 2 +- ...network_rdp_remote_desktop_protocol_from_the_internet.json | 2 +- .../network_rdp_remote_desktop_protocol_to_the_internet.json | 4 ++-- .../network_rpc_remote_procedure_call_from_the_internet.json | 2 +- .../network_rpc_remote_procedure_call_to_the_internet.json | 2 +- ...ork_smb_windows_file_sharing_activity_to_the_internet.json | 4 ++-- .../rules/prepackaged_rules/network_smtp_to_the_internet.json | 4 ++-- .../network_ssh_secure_shell_from_the_internet.json | 4 ++-- .../network_ssh_secure_shell_to_the_internet.json | 2 +- .../rules/prepackaged_rules/network_telnet_port_activity.json | 4 ++-- .../network_tor_activity_to_the_internet.json | 2 +- ...twork_vnc_virtual_network_computing_from_the_internet.json | 4 ++-- ...network_vnc_virtual_network_computing_to_the_internet.json | 2 +- 21 files changed, 31 insertions(+), 31 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json index 7b375742fa511..a3fb90cd97e8d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -20,7 +20,7 @@ "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, - "techniques": [ + "technique": [ { "id": "T1184", "name": "SSH Hijacking", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 9e522eb59cf62..e9612585fc958 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -19,7 +19,7 @@ "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, - "techniques": [ + "technique": [ { "id": "T1040", "name": "Network Sniffing", @@ -34,7 +34,7 @@ "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, - "techniques": [ + "technique": [ { "id": "T1040", "name": "Network Sniffing", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 140297418e0e8..68fd0016a1a6f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -21,7 +21,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index bb439c1ec16d3..cb109b24692d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -30,7 +30,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 6394e82a45a85..d58ad82f2a210 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -30,7 +30,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index bad7eece34977..d7a87ffdcfbd4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index cbf803576c183..c003e1c8d084a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -19,7 +19,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -34,7 +34,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 6fdd2860cdb7b..a1da329ab0ba6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index 848af79df6fc8..88bc430f547c1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index 360d812a4c3b5..bd4fda4a6dadd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index 71e5e5ec17a26..a733b4602f869 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -30,7 +30,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 233afd9f12df7..80a6f66eb11c5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 23e8a57f10637..458b5d8116c77 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 473cffbbdb88b..14228d668401e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -30,7 +30,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index 9d1f1137fbc54..116eae3000cf8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -30,7 +30,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index d17f73a0e1084..e889170f9ffb5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -30,7 +30,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index 1625a181a2472..22f094aca0919 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 7c3935b1ec3ac..16362605a9c1f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -30,7 +30,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index e38e098598574..0cd0711db9f15 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 0146a523024ce..c52f4e72de91f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -15,7 +15,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -30,7 +30,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index f9783a75854ea..8333dcbb02a73 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -15,7 +15,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", From cf4bf84e50dc96f619a8b919ac1708b1cb6aca7e Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 20:15:37 -0700 Subject: [PATCH 6/9] Renamed threats to threat and cleaned up more of the rules to have index correctly --- .../detection_engine/rules/types.ts | 4 +- .../siem/public/graphql/introspection.json | 2 +- .../plugins/siem/public/graphql/types.ts | 2 +- .../rules/all/__mocks__/mock.ts | 6 +-- .../components/description_step/helpers.tsx | 25 +++++----- .../components/description_step/index.tsx | 10 ++-- .../components/description_step/types.ts | 4 +- .../rules/components/mitre/index.tsx | 4 +- .../step_about_rule/default_value.ts | 4 +- .../components/step_about_rule/index.tsx | 6 +-- .../components/step_about_rule/schema.tsx | 2 +- .../detection_engine/rules/create/helpers.ts | 20 +++----- .../pages/detection_engine/rules/helpers.tsx | 4 +- .../pages/detection_engine/rules/types.ts | 4 +- .../overview/signals_by_category/index.tsx | 2 +- .../siem/server/graphql/ecs/schema.gql.ts | 2 +- .../plugins/siem/server/graphql/types.ts | 6 +-- .../routes/__mocks__/request_responses.ts | 6 +-- .../routes/index/signals_mapping.json | 2 +- .../routes/rules/create_rules_bulk_route.ts | 4 +- .../routes/rules/create_rules_route.ts | 4 +- .../routes/rules/import_rules_route.ts | 6 +-- .../routes/rules/update_rules_bulk_route.ts | 4 +- .../routes/rules/update_rules_route.ts | 4 +- .../routes/rules/utils.test.ts | 28 +++++------ .../detection_engine/routes/rules/utils.ts | 2 +- .../add_prepackaged_rules_schema.test.ts | 40 ++++++++-------- .../schemas/add_prepackaged_rules_schema.ts | 6 +-- .../schemas/create_rules_schema.test.ts | 38 +++++++-------- .../routes/schemas/create_rules_schema.ts | 4 +- .../schemas/import_rules_schema.test.ts | 38 +++++++-------- .../routes/schemas/import_rules_schema.ts | 4 +- .../routes/schemas/schemas.ts | 2 +- .../schemas/update_rules_schema.test.ts | 46 +++++++++---------- .../routes/schemas/update_rules_schema.ts | 4 +- .../detection_engine/rules/create_rules.ts | 4 +- .../create_rules_stream_from_ndjson.test.ts | 20 ++++---- .../rules/get_export_all.test.ts | 2 +- .../rules/get_export_by_object_ids.test.ts | 4 +- .../rules/install_prepacked_rules.ts | 4 +- .../403_response_to_a_post.json | 8 ++++ .../405_response_method_not_allowed.json | 8 ++++ ...den_file_attribute_with_via_attribexe.json | 2 +- .../eql_adobe_hijack_persistence.json | 2 +- .../eql_audio_capture_via_powershell.json | 2 +- .../eql_audio_capture_via_soundrecorder.json | 2 +- .../eql_bypass_uac_event_viewer.json | 2 +- .../eql_bypass_uac_via_cmstp.json | 2 +- .../eql_bypass_uac_via_sdclt.json | 2 +- .../eql_clearing_windows_event_logs.json | 2 +- ...delete_volume_usn_journal_with_fsutil.json | 2 +- ...deleting_backup_catalogs_with_wbadmin.json | 2 +- .../eql_direct_outbound_smb_connection.json | 2 +- ...ble_windows_firewall_rules_with_netsh.json | 2 +- .../eql_dll_search_order_hijack.json | 2 +- ...coding_or_decoding_files_via_certutil.json | 2 +- .../eql_local_scheduled_task_commands.json | 2 +- .../eql_local_service_commands.json | 2 +- ...ql_modification_of_boot_configuration.json | 2 +- ...ql_msbuild_making_network_connections.json | 2 +- .../eql_mshta_making_network_connections.json | 2 +- .../eql_msxsl_making_network_connections.json | 2 +- ...ql_suspicious_ms_office_child_process.json | 2 +- ...l_suspicious_ms_outlook_child_process.json | 2 +- ...l_suspicious_pdf_reader_child_process.json | 2 +- .../eql_system_shells_via_services.json | 2 +- ...usual_network_connection_via_rundll32.json | 2 +- .../eql_unusual_parentchild_relationship.json | 2 +- ...ql_unusual_process_network_connection.json | 2 +- .../eql_user_account_creation.json | 2 +- ...eql_user_added_to_administrator_group.json | 2 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 2 +- ..._volume_shadow_copy_deletion_via_wmic.json | 2 +- ...l_windows_script_executing_powershell.json | 2 +- .../eql_wmic_command_lateral_movement.json | 2 +- .../linux_hping_activity.json | 8 ++++ .../linux_iodine_activity.json | 8 ++++ .../linux_kernel_module_activity.json | 2 +- .../linux_ldso_process_activity.json | 8 ++++ .../linux_mknod_activity.json | 8 ++++ .../linux_netcat_network_connection.json | 8 ++++ .../linux_nmap_activity.json | 8 ++++ .../linux_nping_activity.json | 8 ++++ ...nux_process_started_in_temp_directory.json | 8 ++++ .../linux_shell_activity_by_web_server.json | 2 +- .../linux_socat_activity.json | 8 ++++ .../linux_ssh_forwarding.json | 10 +++- .../linux_strace_activity.json | 8 ++++ .../linux_tcpdump_activity.json | 10 +++- .../linux_whoami_commmand.json | 2 +- .../network_dns_directly_to_the_internet.json | 10 +++- ...fer_protocol_activity_to_the_internet.json | 10 +++- ...hat_protocol_activity_to_the_internet.json | 10 +++- .../network_nat_traversal_port_activity.json | 10 +++- .../network_port_26_activity.json | 10 +++- ...rk_port_8000_activity_to_the_internet.json | 10 +++- ..._to_point_tunneling_protocol_activity.json | 8 ++++ ...k_proxy_port_activity_to_the_internet.json | 10 +++- ...te_desktop_protocol_from_the_internet.json | 10 +++- ...mote_desktop_protocol_to_the_internet.json | 10 +++- ...mote_procedure_call_from_the_internet.json | 10 +++- ...remote_procedure_call_to_the_internet.json | 10 +++- ...file_sharing_activity_to_the_internet.json | 10 +++- .../network_smtp_to_the_internet.json | 10 +++- ..._server_port_activity_to_the_internet.json | 8 ++++ ...rk_ssh_secure_shell_from_the_internet.json | 10 +++- ...work_ssh_secure_shell_to_the_internet.json | 10 +++- .../network_telnet_port_activity.json | 10 +++- .../network_tor_activity_to_the_internet.json | 10 +++- ...l_network_computing_from_the_internet.json | 10 +++- ...ual_network_computing_to_the_internet.json | 10 +++- .../prepackaged_rules/null_user_agent.json | 8 ++++ .../prepackaged_rules/sqlmap_user_agent.json | 8 ++++ .../rules/update_prepacked_rules.ts | 4 +- .../detection_engine/rules/update_rules.ts | 6 +-- .../import/multiple_ruleid_queries.ndjson | 4 +- .../rules/queries/query_mitre_attack.json | 4 +- .../rules/queries/query_with_everything.json | 2 +- .../saved_query_with_everything.json | 2 +- .../multiple_ruleid_queries_corrupted.ndjson | 6 +-- .../updates/update_query_everything.json | 2 +- .../scripts/signals/sample_signal.json | 40 ++++------------ .../signals/__mocks__/es_results.ts | 2 +- .../detection_engine/signals/build_rule.ts | 2 +- .../signals/signal_rule_alert_type.ts | 2 +- .../siem/server/lib/detection_engine/types.ts | 2 +- .../siem/server/lib/ecs_fields/index.ts | 2 +- 127 files changed, 570 insertions(+), 303 deletions(-) diff --git a/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts b/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts index 2e776738547df..b30c3b211b1b8 100644 --- a/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts +++ b/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts @@ -30,7 +30,7 @@ export const NewRuleSchema = t.intersection([ rule_id: t.string, saved_id: t.string, tags: t.array(t.string), - threats: t.array(t.unknown), + threat: t.array(t.unknown), to: t.string, updated_by: t.string, }), @@ -73,7 +73,7 @@ export const RuleSchema = t.intersection([ tags: t.array(t.string), type: t.string, to: t.string, - threats: t.array(t.unknown), + threat: t.array(t.unknown), updated_at: t.string, updated_by: t.string, }), diff --git a/x-pack/legacy/plugins/siem/public/graphql/introspection.json b/x-pack/legacy/plugins/siem/public/graphql/introspection.json index 35599827ffe42..a9247403bf22c 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/introspection.json +++ b/x-pack/legacy/plugins/siem/public/graphql/introspection.json @@ -4940,7 +4940,7 @@ "deprecationReason": null }, { - "name": "threats", + "name": "threat", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, diff --git a/x-pack/legacy/plugins/siem/public/graphql/types.ts b/x-pack/legacy/plugins/siem/public/graphql/types.ts index 4b6825268403c..6a24ffcc13020 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/public/graphql/types.ts @@ -1015,7 +1015,7 @@ export interface RuleField { tags?: Maybe; - threats?: Maybe; + threat?: Maybe; type?: Maybe; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts index b62247e8f9a4f..980575f1470a5 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts @@ -37,7 +37,7 @@ export const mockRule = (id: string): Rule => ({ tags: [], to: 'now', type: 'saved_query', - threats: [], + threat: [], version: 1, }); @@ -87,7 +87,7 @@ export const mockTableData: TableData[] = [ saved_id: "Garrett's IP", severity: 'low', tags: [], - threats: [], + threat: [], timeline_id: '86aa74d0-2136-11ea-9864-ebc8cc1cb8c2', timeline_title: 'Untitled timeline', to: 'now', @@ -136,7 +136,7 @@ export const mockTableData: TableData[] = [ saved_id: "Garrett's IP", severity: 'low', tags: [], - threats: [], + threat: [], timeline_id: '86aa74d0-2136-11ea-9864-ebc8cc1cb8c2', timeline_title: 'Untitled timeline', to: 'now', diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx index 4add612892c7e..e1cbc6ee92393 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx @@ -24,7 +24,7 @@ import { tacticsOptions, techniquesOptions } from '../../../mitre/mitre_tactics_ import { FilterLabel } from './filter_label'; import * as i18n from './translations'; -import { BuildQueryBarDescription, BuildThreatsDescription, ListItems } from './types'; +import { BuildQueryBarDescription, BuildThreatDescription, ListItems } from './types'; import { SeverityBadge } from '../severity_badge'; import ListTreeIcon from './assets/list_tree_icon.svg'; @@ -94,7 +94,7 @@ export const buildQueryBarDescription = ({ return items; }; -const ThreatsEuiFlexGroup = styled(EuiFlexGroup)` +const ThreatEuiFlexGroup = styled(EuiFlexGroup)` .euiFlexItem { margin-bottom: 0px; } @@ -114,25 +114,22 @@ const ReferenceLinkItem = styled(EuiButtonEmpty)` } `; -export const buildThreatsDescription = ({ - label, - threats, -}: BuildThreatsDescription): ListItems[] => { - if (threats.length > 0) { +export const buildThreatDescription = ({ label, threat }: BuildThreatDescription): ListItems[] => { + if (threat.length > 0) { return [ { title: label, description: ( - - {threats.map((threat, index) => { - const tactic = tacticsOptions.find(t => t.id === threat.tactic.id); + + {threat.map((singleThreat, index) => { + const tactic = tacticsOptions.find(t => t.id === singleThreat.tactic.id); return ( - - + + {tactic != null ? tactic.text : ''} - {threat.technique.map(technique => { + {singleThreat.technique.map(technique => { const myTechnique = techniquesOptions.find(t => t.id === technique.id); return ( @@ -153,7 +150,7 @@ export const buildThreatsDescription = ({ ); })} - + ), }, ]; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx index 8cf1601e2c4b6..f1d2609cde8fe 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx @@ -24,7 +24,7 @@ import { buildQueryBarDescription, buildSeverityDescription, buildStringArrayDescription, - buildThreatsDescription, + buildThreatDescription, buildUnorderedListArrayDescription, buildUrlsDescription, } from './helpers'; @@ -116,11 +116,11 @@ const getDescriptionItem = ( savedId, indexPatterns, }); - } else if (field === 'threats') { - const threats: IMitreEnterpriseAttack[] = get(field, value).filter( - (threat: IMitreEnterpriseAttack) => threat.tactic.name !== 'none' + } else if (field === 'threat') { + const threat: IMitreEnterpriseAttack[] = get(field, value).filter( + (singleThreat: IMitreEnterpriseAttack) => singleThreat.tactic.name !== 'none' ); - return buildThreatsDescription({ label, threats }); + return buildThreatDescription({ label, threat }); } else if (field === 'description') { return [ { diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts index d32fbcd725d12..c120d4a4106d0 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts @@ -27,7 +27,7 @@ export interface BuildQueryBarDescription { indexPatterns?: IIndexPattern; } -export interface BuildThreatsDescription { +export interface BuildThreatDescription { label: string; - threats: IMitreEnterpriseAttack[]; + threat: IMitreEnterpriseAttack[]; } diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx index 9986b64fc5b15..d85be053065fc 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx @@ -21,7 +21,7 @@ import styled from 'styled-components'; import { tacticsOptions, techniquesOptions } from '../../../mitre/mitre_tactics_techniques'; import * as Rulei18n from '../../translations'; import { FieldHook, getFieldValidityAndErrorMessage } from '../shared_imports'; -import { threatsDefault } from '../step_about_rule/default_value'; +import { threatDefault } from '../step_about_rule/default_value'; import { IMitreEnterpriseAttack } from '../../types'; import { MyAddItemButton } from '../add_item_form'; import { isMitreAttackInvalid } from './helpers'; @@ -49,7 +49,7 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI const values = field.value as string[]; const newValues = [...values.slice(0, index), ...values.slice(index + 1)]; if (isEmpty(newValues)) { - field.setValue(threatsDefault); + field.setValue(threatDefault); } else { field.setValue(newValues); } diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts index 63bfc84dab22f..70bfc2bcddd62 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts @@ -7,7 +7,7 @@ import { AboutStepRule } from '../../types'; import { DEFAULT_TIMELINE_TITLE } from '../../../../../components/timeline/search_super_select/translations'; -export const threatsDefault = [ +export const threatDefault = [ { framework: 'MITRE ATT&CK', tactic: { id: 'none', name: 'none', reference: 'none' }, @@ -28,5 +28,5 @@ export const stepAboutDefaultValue: AboutStepRule = { id: null, title: DEFAULT_TIMELINE_TITLE, }, - threats: threatsDefault, + threat: threatDefault, }; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx index 8370af397bfec..4ae88b3014d19 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx @@ -227,12 +227,12 @@ const StepAboutRuleComponent: FC = ({ }} /> diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx index c0595b8d48c26..22033dcf6b0f7 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx @@ -139,7 +139,7 @@ export const schema: FormSchema = { ), labelAppend: OptionalFieldLabel, }, - threats: { + threat: { label: i18n.translate( 'xpack.siem.detectionEngine.createRule.stepAboutRule.fieldMitreThreatLabel', { diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts index 4f33679453a81..de6678b42df6f 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts @@ -72,15 +72,7 @@ const formatScheduleStepData = (scheduleData: ScheduleStepRule): ScheduleStepRul }; const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRuleJson => { - const { - falsePositives, - references, - riskScore, - threats, - timeline, - isNew, - ...rest - } = aboutStepData; + const { falsePositives, references, riskScore, threat, timeline, isNew, ...rest } = aboutStepData; return { false_positives: falsePositives.filter(item => !isEmpty(item)), references: references.filter(item => !isEmpty(item)), @@ -91,12 +83,12 @@ const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRuleJson => timeline_title: timeline.title, } : {}), - threats: threats - .filter(threat => threat.tactic.name !== 'none') - .map(threat => ({ - ...threat, + threat: threat + .filter(singleThreat => singleThreat.tactic.name !== 'none') + .map(singleThreat => ({ + ...singleThreat, framework: 'MITRE ATT&CK', - technique: threat.technique.map(technique => { + technique: singleThreat.technique.map(technique => { const { id, name, reference } = technique; return { id, name, reference }; }), diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx index d12d39fdc490a..ce0d50d9b6106 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx @@ -43,9 +43,9 @@ export const getStepsData = ({ rule != null ? { isNew: false, - ...pick(['description', 'name', 'references', 'severity', 'tags', 'threats'], rule), + ...pick(['description', 'name', 'references', 'severity', 'tags', 'threat'], rule), ...(detailsView ? { name: '' } : {}), - threats: rule.threats as IMitreEnterpriseAttack[], + threat: rule.threat as IMitreEnterpriseAttack[], falsePositives: rule.false_positives, riskScore: rule.risk_score, timeline: { diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts index ede78e1c4818d..effaa90d685df 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts @@ -76,7 +76,7 @@ export interface AboutStepRule extends StepRuleData { falsePositives: string[]; tags: string[]; timeline: FieldValueTimeline; - threats: IMitreEnterpriseAttack[]; + threat: IMitreEnterpriseAttack[]; } export interface DefineStepRule extends StepRuleData { @@ -109,7 +109,7 @@ export interface AboutStepRuleJson { tags: string[]; timeline_id?: string; timeline_title?: string; - threats: IMitreEnterpriseAttack[]; + threat: IMitreEnterpriseAttack[]; } export interface ScheduleStepRuleJson { diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx index ce6e6ccf4e9e3..ee06e193c0105 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx @@ -49,7 +49,7 @@ export const SignalsByCategory = React.memo( showLinkToSignals={true} defaultStackByOption={{ text: `${i18n.SIGNALS_BY_CATEGORY}`, - value: 'signal.rule.threats', + value: 'signal.rule.threat', }} legendPosition={'right'} to={to} diff --git a/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts b/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts index 9f57155d4d189..730e6b884a182 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts @@ -399,7 +399,7 @@ export const ecsSchema = gql` references: ToStringArray severity: ToStringArray tags: ToStringArray - threats: ToAny + threat: ToAny type: ToStringArray size: ToStringArray to: ToStringArray diff --git a/x-pack/legacy/plugins/siem/server/graphql/types.ts b/x-pack/legacy/plugins/siem/server/graphql/types.ts index bc7486777b990..303262ece5c7f 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/types.ts @@ -1017,7 +1017,7 @@ export interface RuleField { tags?: Maybe; - threats?: Maybe; + threat?: Maybe; type?: Maybe; @@ -4994,7 +4994,7 @@ export namespace RuleFieldResolvers { tags?: TagsResolver, TypeParent, TContext>; - threats?: ThreatsResolver, TypeParent, TContext>; + threat?: ThreatResolver, TypeParent, TContext>; type?: TypeResolver, TypeParent, TContext>; @@ -5112,7 +5112,7 @@ export namespace RuleFieldResolvers { Parent = RuleField, TContext = SiemContext > = Resolver; - export type ThreatsResolver< + export type ThreatResolver< R = Maybe, Parent = RuleField, TContext = SiemContext diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index b5c75e7c3ae0b..d950d89eb22a6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -34,7 +34,7 @@ export const mockPrepackagedRule = (): PrepackagedRules => ({ severity: 'high', query: 'user.name: root or user.name: admin', language: 'kuery', - threats: [ + threat: [ { framework: 'fake', tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' }, @@ -69,7 +69,7 @@ export const typicalPayload = (): Partial => ({ severity: 'high', query: 'user.name: root or user.name: admin', language: 'kuery', - threats: [ + threat: [ { framework: 'fake', tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' }, @@ -298,7 +298,7 @@ export const getResult = (): RuleAlertType => ({ severity: 'high', to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json index 4f3ba768b17b0..fc936444db699 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json @@ -87,7 +87,7 @@ "tags": { "type": "keyword" }, - "threats": { + "threat": { "type": "object" }, "type": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts index 0c98507bc6fa8..68375043070f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts @@ -70,7 +70,7 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou name, severity, tags, - threats, + threat, to, type, updated_at: updatedAt, @@ -128,7 +128,7 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou tags, to, type, - threats, + threat, updatedAt, references, version, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts index 4480186d9a7a6..060659d0e1897 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts @@ -56,7 +56,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = name, severity, tags, - threats, + threat, to, type, updated_at: updatedAt, @@ -115,7 +115,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, updatedAt, references, version: 1, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts index 0dfdee2d71375..88a31c36a87fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts @@ -105,7 +105,7 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = name, severity, tags, - threats, + threat, to, type, references, @@ -154,7 +154,7 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, updatedAt: new Date().toISOString(), references, version, @@ -189,7 +189,7 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts index cf98043529bc0..8c7558d6d4fb5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts @@ -70,7 +70,7 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou tags, to, type, - threats, + threat, references, version, } = payloadRule; @@ -103,7 +103,7 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts index cbb66317186a1..f51cea0753f1a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts @@ -54,7 +54,7 @@ export const createUpdateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, references, version, } = request.payload; @@ -98,7 +98,7 @@ export const createUpdateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts index b2e56234cfc9e..ec11a8fb2da39 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts @@ -52,7 +52,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -115,7 +115,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -180,7 +180,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -245,7 +245,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -308,7 +308,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -374,7 +374,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -440,7 +440,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -506,7 +506,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: ['tag 1', 'tag 2'], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -623,7 +623,7 @@ describe('utils', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -696,7 +696,7 @@ describe('utils', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -858,7 +858,7 @@ describe('utils', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -979,7 +979,7 @@ describe('utils', () => { saved_id: 'some-id', severity: 'high', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -1039,7 +1039,7 @@ describe('utils', () => { saved_id: 'some-id', severity: 'high', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -1088,7 +1088,7 @@ describe('utils', () => { saved_id: 'some-id', severity: 'high', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts index ae79b571b2b62..663ddf3a835a6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts @@ -110,7 +110,7 @@ export const transformAlertToRule = ( tags: transformTags(alert.tags), to: alert.params.to, type: alert.params.type, - threats: alert.params.threats, + threat: alert.params.threat, version: alert.params.version, status: ruleStatus?.attributes.status, status_date: ruleStatus?.attributes.statusDate, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts index c8c25f489bf79..b536cfac05df3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts @@ -224,7 +224,7 @@ describe('add prepackaged rules schema', () => { ).toBeFalsy(); }); - test('You can send in an empty array to threats', () => { + test('You can send in an empty array to threat', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -241,12 +241,12 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], + threat: [], version: 1, }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version, threats] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version, s] does validate', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -259,7 +259,7 @@ describe('add prepackaged rules schema', () => { severity: 'low', interval: '5m', type: 'query', - threats: [ + threat: [ { framework: 'someFramework', tactic: { @@ -744,11 +744,11 @@ describe('add prepackaged rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "framework"', () => { + test('You cannot send in an array of threat that are missing "framework"', () => { expect( addPrepackagedRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -765,7 +765,7 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', @@ -784,15 +784,15 @@ describe('add prepackaged rules schema', () => { version: 1, }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "tactic"', () => { + test('You cannot send in an array of threat that are missing "tactic"', () => { expect( addPrepackagedRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -809,7 +809,7 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', technique: [ @@ -824,15 +824,15 @@ describe('add prepackaged rules schema', () => { version: 1, }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "technique"', () => { + test('You cannot send in an array of threat that are missing "technique"', () => { expect( addPrepackagedRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -849,7 +849,7 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -862,7 +862,7 @@ describe('add prepackaged rules schema', () => { version: 1, }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); @@ -1241,6 +1241,7 @@ describe('add prepackaged rules schema', () => { rule_id: 'rule-1', risk_score: 50, description: 'some description', + index: ['auditbeat-*'], name: 'some-name', severity: 'low', type: 'query', @@ -1259,6 +1260,7 @@ describe('add prepackaged rules schema', () => { rule_id: 'rule-1', risk_score: 50, description: 'some description', + index: ['auditbeat-*'], name: 'some-name', severity: 'junk', type: 'query', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts index 240021d40ddc4..b62c480492c84 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts @@ -30,7 +30,7 @@ import { tags, to, type, - threats, + threat, references, version, } from './schemas'; @@ -58,7 +58,7 @@ export const addPrepackagedRulesSchema = Joi.object({ .forbidden() .default(true) .valid(true), - index, + index: index.required(), interval: interval.default('5m'), query: query.allow('').default(''), language: language.default('kuery'), @@ -77,7 +77,7 @@ export const addPrepackagedRulesSchema = Joi.object({ tags: tags.default([]), to: to.default('now'), type: type.required(), - threats: threats.default([]), + threat: threat.default([]), references: references.default([]), version: version.required(), }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts index 6308331cc9325..d9605a265d28b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts @@ -239,7 +239,7 @@ describe('create rules schema', () => { ).toBeFalsy(); }); - test('You can send in an empty array to threats', () => { + test('You can send in an empty array to threat', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -257,12 +257,12 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], + threat: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threats] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threat] does validate', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -276,7 +276,7 @@ describe('create rules schema', () => { severity: 'low', interval: '5m', type: 'query', - threats: [ + threat: [ { framework: 'someFramework', tactic: { @@ -678,11 +678,11 @@ describe('create rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "framework"', () => { + test('You cannot send in an array of threat that are missing "framework"', () => { expect( createRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -700,7 +700,7 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', @@ -718,15 +718,15 @@ describe('create rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "tactic"', () => { + test('You cannot send in an array of threat that are missing "tactic"', () => { expect( createRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -744,7 +744,7 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', technique: [ @@ -758,15 +758,15 @@ describe('create rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "technique"', () => { + test('You cannot send in an array of threat that are missing "technique"', () => { expect( createRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -784,7 +784,7 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -796,7 +796,7 @@ describe('create rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts index 06dbb0cbb48f3..eb79e06c8efa6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts @@ -30,7 +30,7 @@ import { tags, to, type, - threats, + threat, references, version, } from './schemas'; @@ -65,7 +65,7 @@ export const createRulesSchema = Joi.object({ tags: tags.default([]), to: to.default('now'), type: type.required(), - threats: threats.default([]), + threat: threat.default([]), references: references.default([]), version: version.default(1), }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts index f761ba6198e74..c72e1b7ef2a63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts @@ -244,7 +244,7 @@ describe('import rules schema', () => { ).toBeFalsy(); }); - test('You can send in an empty array to threats', () => { + test('You can send in an empty array to threat', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -262,12 +262,12 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], + threat: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threats] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threat] does validate', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -281,7 +281,7 @@ describe('import rules schema', () => { severity: 'low', interval: '5m', type: 'query', - threats: [ + threat: [ { framework: 'someFramework', tactic: { @@ -685,11 +685,11 @@ describe('import rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "framework"', () => { + test('You cannot send in an array of threat that are missing "framework"', () => { expect( importRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -707,7 +707,7 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', @@ -725,15 +725,15 @@ describe('import rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "tactic"', () => { + test('You cannot send in an array of threat that are missing "tactic"', () => { expect( importRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -751,7 +751,7 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', technique: [ @@ -765,15 +765,15 @@ describe('import rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "technique"', () => { + test('You cannot send in an array of threat that are missing "technique"', () => { expect( importRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -791,7 +791,7 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -803,7 +803,7 @@ describe('import rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts index 672eb43d51773..1254694645b9c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts @@ -36,7 +36,7 @@ import { tags, to, type, - threats, + threat, references, version, } from './schemas'; @@ -82,7 +82,7 @@ export const importRulesSchema = Joi.object({ tags: tags.default([]), to: to.default('now'), type: type.required(), - threats: threats.default([]), + threat: threat.default([]), references: references.default([]), version: version.default(1), created_at, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts index 7a2faf44b328a..9b311b1b58ea7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts @@ -87,7 +87,7 @@ export const threat_technique = Joi.object({ reference: threat_technique_reference.required(), }); export const threat_techniques = Joi.array().items(threat_technique.required()); -export const threats = Joi.array().items( +export const threat = Joi.array().items( Joi.object({ framework: threat_framework.required(), tactic: threat_tactic.required(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts index a28f02661da8c..0dc9f3df3da1c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts @@ -670,7 +670,7 @@ describe('update rules schema', () => { ).toEqual('child "filters" fails because ["filters" must be an array]'); }); - test('threats is not defaulted to empty array on update', () => { + test('threat is not defaulted to empty array on update', () => { expect( updateRulesSchema.validate>({ id: 'rule-1', @@ -686,11 +686,11 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - }).value.threats + }).value.threat ).toBe(undefined); }); - test('threats is not defaulted to undefined on update with empty array', () => { + test('threat is not defaulted to undefined on update with empty array', () => { expect( updateRulesSchema.validate>({ id: 'rule-1', @@ -706,12 +706,12 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], - }).value.threats + threat: [], + }).value.threat ).toMatchObject([]); }); - test('threats is valid when updated with all sub-objects', () => { + test('threat is valid when updated with all sub-objects', () => { const expected: ThreatParams[] = [ { framework: 'fake', @@ -744,7 +744,7 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -761,15 +761,15 @@ describe('update rules schema', () => { ], }, ], - }).value.threats + }).value.threat ).toMatchObject(expected); }); - test('threats is invalid when updated with missing property framework', () => { + test('threat is invalid when updated with missing property framework', () => { expect( updateRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ id: 'rule-1', @@ -785,7 +785,7 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', @@ -803,15 +803,15 @@ describe('update rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('threats is invalid when updated with missing tactic sub-object', () => { + test('threat is invalid when updated with missing tactic sub-object', () => { expect( updateRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ id: 'rule-1', @@ -827,7 +827,7 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', technique: [ @@ -841,15 +841,15 @@ describe('update rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('threats is invalid when updated with missing technique', () => { + test('threat is invalid when updated with missing technique', () => { expect( updateRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ id: 'rule-1', @@ -865,7 +865,7 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -877,7 +877,7 @@ describe('update rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "technique" fails because ["technique" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts index d363bfca98466..3aa8e007a8cbd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts @@ -30,7 +30,7 @@ import { tags, to, type, - threats, + threat, references, id, version, @@ -61,7 +61,7 @@ export const updateRulesSchema = Joi.object({ tags, to, type, - threats, + threat, references, version, }).xor('id', 'rule_id'); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts index 1d3801d80de11..d65f5f84c6d64 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts @@ -32,7 +32,7 @@ export const createRules = ({ name, severity, tags, - threats, + threat, to, type, references, @@ -63,7 +63,7 @@ export const createRules = ({ maxSignals, riskScore, severity, - threats, + threat, to, type, updatedAt: new Date().toISOString(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts index 48b7195c3b0bc..d4b7c252e3e38 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts @@ -65,7 +65,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -88,7 +88,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -130,7 +130,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -153,7 +153,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -194,7 +194,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -217,7 +217,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -258,7 +258,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); @@ -282,7 +282,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); @@ -322,7 +322,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); @@ -348,7 +348,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts index 92bb4b0b6f5c5..ff48b9f5f7c33 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts @@ -23,7 +23,7 @@ describe('getExportAll', () => { const exports = await getExportAll(unsafeCast); expect(exports).toEqual({ rulesNdjson: - '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', + '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', exportDetails: '{"exported_count":1,"missing_rules":[],"missing_rules_count":0}\n', }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts index fa2b481500e9d..05e455efb3f22 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts @@ -25,7 +25,7 @@ describe('get_export_by_object_ids', () => { const exports = await getExportByObjectIds(unsafeCast, objects); expect(exports).toEqual({ rulesNdjson: - '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', + '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', exportDetails: '{"exported_count":1,"missing_rules":[],"missing_rules_count":0}\n', }); }); @@ -98,7 +98,7 @@ describe('get_export_by_object_ids', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts index 555063854dc60..7e8ed62baf1cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts @@ -40,7 +40,7 @@ export const installPrepackagedRules = ( tags, to, type, - threats, + threat, references, version, } = rule; @@ -72,7 +72,7 @@ export const installPrepackagedRules = ( tags, to, type, - threats, + threat, references, version, createdAt: new Date().toISOString(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index 86d09eacda28a..da0613e1f6fa7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -3,6 +3,14 @@ "false_positives": [ "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: POST Request Declined", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index 244624ddcf6e2..b0edfb25e9392 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -3,6 +3,14 @@ "false_positives": [ "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: Unauthorized Method", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 8545138eb416c..33a51b507709f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -15,7 +15,7 @@ "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index ce7fac0f8665f..1721c9fa108ef 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -15,7 +15,7 @@ "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index 761202b4f858d..b8d97949d5499 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -15,7 +15,7 @@ "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index 3abe704626096..da10251bc5bbc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -15,7 +15,7 @@ "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index 4192622c90fbb..d0ccf666c8ef8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -15,7 +15,7 @@ "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index af92f22db98e7..03288c2e7b937 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -15,7 +15,7 @@ "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index cc68744f2aeae..f71a5835046af 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -15,7 +15,7 @@ "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index 710139d3f6a7f..fb8ad7c84ec6e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -15,7 +15,7 @@ "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 31bdef69cdefe..d09b99b4db789 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -15,7 +15,7 @@ "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index ade4d454433f2..d9d4c6980ae8a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -15,7 +15,7 @@ "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 6be42fc6343bc..372072ca4c474 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -15,7 +15,7 @@ "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 36ca0d7802866..4d2b379cad3e2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -15,7 +15,7 @@ "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index 78637e4b6a169..abee2a90d53be 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -15,7 +15,7 @@ "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 2e28dc4b5c118..331d22b0412d2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -15,7 +15,7 @@ "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index 46d20a8591119..8c1c9351013bb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -15,7 +15,7 @@ "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 9c38f13ed9187..7b5f1746c7fea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -15,7 +15,7 @@ "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index 6e2a43c502fb4..fdd9ba268bd9b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -15,7 +15,7 @@ "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", "severity": "high", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 32a3d8d47d917..0d555bcbe0355 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -15,7 +15,7 @@ "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index d86632f739534..d18a172561596 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -16,7 +16,7 @@ "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index 6b86c5c487284..a4854196c2369 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -15,7 +15,7 @@ "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 321c09fe9d6c9..8a3f8414f4f44 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -15,7 +15,7 @@ "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index ea95faca9d662..a1e1a3438ac34 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -15,7 +15,7 @@ "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 400ae25e9caa2..533d8c3b17682 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -15,7 +15,7 @@ "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", "severity": "high", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 5310c8f503b01..b54fef4b94a2c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -15,7 +15,7 @@ "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index fc09b677b56c4..f114875d13f92 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -15,7 +15,7 @@ "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index fdea18d47f263..6d4144fea7023 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -15,7 +15,7 @@ "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 3322e275a0a47..4e6e33fe2ff5e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -15,7 +15,7 @@ "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index bc231a3eed0c1..d0d720d8c68ca 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -15,7 +15,7 @@ "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index 74383a2491f4c..0f27141ca83b7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -15,7 +15,7 @@ "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", "severity": "medium", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 7cb013fd9ce21..8ef7f78b8fc0e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -15,7 +15,7 @@ "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "high", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index bbf29ec778d9c..eb8de4621b545 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -15,7 +15,7 @@ "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 73c4f95cb70a2..1fd351d510be0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -15,7 +15,7 @@ "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index df0c6eec8c370..bdb45a4f34542 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -15,7 +15,7 @@ "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", "tags": ["EIA"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index ca7515b3c0cfc..d0a07ce2d0365 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Hping Process Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index 3b31b66ff13b9..1a116735e98f3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Potential DNS Tunneling via Iodine", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 595e19ae4ac1c..5adfe254f6df9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -14,7 +14,7 @@ "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", "tags": ["EIA", "auditbeat"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json index d55788d53c609..187fc6379ef25 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "ld.so is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or administrators. Use of ld.so by non-engineers or ordinary users is uncommon." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Ld.so Process Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 110c9af9e42b4..1fe4802c6cf79 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Mknod Process Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index f91466a2a766d..6d57d0cbab375 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -3,6 +3,14 @@ "false_positives": [ "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools and frameworks." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Netcat Network Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index 106231dd1ca87..b2284eea3f309 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Security testing tools and frameworks may run nmap in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Nmap Process Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index ff95125ce3541..4d37f32fb3ca0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Some normal use of this command may originate from security engineers and network or server administrators but this is usually not routine or unannounced. Use of nping by non-engineers or ordinary users is uncommon." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Nping Process Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index dc6b99ca62c1e..d38cead306cd4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -3,6 +3,14 @@ "false_positives": [ "Build systems like Jenkins may start processes in the /tmp directory. These can be exempted by name or by username." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Unusual Process Execution - Temp", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index 2420f90ab457d..1711f45e770ed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -13,7 +13,7 @@ "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "severity": "low", "tags": ["Elastic", "linux"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index ad6b3e4edd0c8..364a2bee65c23 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Socat Process Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json index a3fb90cd97e8d..3447689f08d62 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -3,6 +3,14 @@ "false_positives": [ "Some normal use of this command may originate from usage by engineers as an alternative or ad-hoc remote access solution. Use of this command by non-administrative users is uncommon." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Potential Lateral Movement via SSH Port Forwarding", @@ -12,7 +20,7 @@ "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", "severity": "medium", "tags": ["Elastic", "linux"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index fd82289475eb7..b0c2b4ecd07c2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Strace Process Activity", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index e9612585fc958..594aee0eca708 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -3,6 +3,14 @@ "false_positives": [ "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Network Sniffing via Tcpdump", @@ -11,7 +19,7 @@ "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", "severity": "low", "tags": ["Elastic", "linux"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 7a1f6c2ea71e5..a370a44d4eb46 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -9,7 +9,7 @@ "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", "severity": "low", "tags": ["Elastic", "linux"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 68fd0016a1a6f..5c1d64e294159 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -3,6 +3,14 @@ "false_positives": [ "You should apply a filter to this rule to exclude your enterprise nameservers that are expected to reach out to the Internet" ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "name": "DNS Activity to the Internet", "query": "destination.port:53 and (\n network.direction: outbound or (\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\\:\\:fb or 255.255.255.255 )\n )\n)\n", "references": [ @@ -13,7 +21,7 @@ "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index cb109b24692d3..62064db7e1443 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that may indicate the use of FTP network connections.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980's. It can be an efficient and normal procedure on your network to send and\nreceive files. Because it is common and efficient, adversaries will also often\nuse this protocol to exfiltrate data from your network or download new tools.\nAdditionally, FTP is a plaintext protocol which may expose your username and\npassword, if intercepted.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "FTP (File Transfer Protocol) Activity to the Internet", "query": "network.transport: tcp and destination.port: (20 or 21) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index d58ad82f2a210..4590fdf39d143 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that use common ports for IRC to the Internet. IRC\nis a common protocol that can be used chat and file transfer. This protocol\nalso makes a good candidate for remote control of malware and data transfer in\nand out of a network.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", "query": "network.transport: tcp and destination.port:(6667 or 6697) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index d7a87ffdcfbd4..e74bed3463993 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that could be describing IPSEC NAT Traversal traffic.\nIPSEC is a VPN technology that allows one system to talk to another using\nencrypted tunnels. NAT Traversal enables these tunnels to communicate over\nthe Internet where one of the sides is behind a NAT router gateway. This may\nbe common on your network, but this technique is also used by threat actors\nto avoid detection.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "IPSEC NAT Traversal Port Activity", "query": "network.transport: udp and destination.port: 4500", @@ -7,7 +15,7 @@ "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index c003e1c8d084a..e05e83ff0a1ee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that may indicate use of SMTP on TCP port 26. This\nport is commonly used by several popular mail transfer agents to deconflict\nwith the default SMTP port 25. This port has also been used by a malware family\ncalled BadPatch for command and control of Windows systems.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SMTP on Port 26/TCP", "query": "network.transport: tcp and destination.port: 26", @@ -11,7 +19,7 @@ "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index a1da329ab0ba6..e193ab83d89fd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you are\nrunning software like this on the Internet, you should consider placing it behind\na reverse proxy.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "TCP Port 8000 Activity to the Internet", "query": "network.transport: tcp and destination.port: 8000 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index 4cf0e32882cd7..7b527dbc09a44 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "PPTP (Point to Point Tunneling Protocol) Activity", "query": "network.transport: tcp and destination.port: 1723", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index 88bc430f547c1..50f521ea91e2b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that may describe network events of proxy use to the\nInternet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically\nenvironments will use an internal IP address for a proxy server. It can also\nbe used to circumvent network controls and detection mechanisms.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Proxy Port Activity to the Internet", "query": "network.transport: tcp and destination.port: (3128 or 8080 or 1080) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index bd4fda4a6dadd..edd4aa456974d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index a733b4602f869..c9f3f95ad1e07 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RDP (Remote Desktop Protocol) to the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 80a6f66eb11c5..9f5a60f1743d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RPC (Remote Procedure Call) from the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 458b5d8116c77..b860158ef93d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RPC (Remote Procedure Call) to the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 14228d668401e..fa1f1aba66e83 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targetted and exploited by threat actors as an initial access\nor backdoor vector or for data exfiltration.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "network.transport: tcp and destination.port: (139 or 445) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index 116eae3000cf8..85c8b3f05166c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that may describe SMTP traffic from internal\nhosts to a host across the Internet. In an enterprise network, there is typically\na dedicate host that is internal that could perform this function. It is also\nfrequently abused by threat actors for command and control or data exfiltration.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SMTP to the Internet", "query": "network.transport: tcp and destination.port: (25 or 465 or 587) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index ceda0d5b36f97..e0998029081d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects events that may describe database traffic\n(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases\nshould almost never be directly exposed to the Internet, as they are\nfrequently targeted by threat actors to gain initial access to network resources.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SQL Traffic to the Internet", "query": "network.transport: tcp and destination.port: (1433 or 1521 or 3336 or 5432) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index e889170f9ffb5..2428909491584 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SSH (Secure Shell) from the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index 22f094aca0919..cf77f9363f525 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SSH (Secure Shell) to the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 16362605a9c1f..a9a364b1b14bd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embeded\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targetted and exploited by threat actors as an\ninitial access or backdoor vector. As a plaintext protocol, it may also expose\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Telnet Port Activity", "query": "network.transport: tcp and destination.port: 23", @@ -7,7 +15,7 @@ "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 0cd0711db9f15..811a81c0e6754 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's indentity and avoid detection.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Tor Activity to the Internet", "query": "network.transport: tcp and destination.port: (9001 or 9030) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index c52f4e72de91f..d46ee76ba72b2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "VNC (Virtual Network Computing) from the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 8333dcbb02a73..d820cedc335ab 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,5 +1,13 @@ { "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "VNC (Virtual Network Computing) to the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", @@ -7,7 +15,7 @@ "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 2108b44b8e468..9d787d3ab738f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -3,6 +3,14 @@ "false_positives": [ "Some normal applications and scripts may contain no user agent. Most legitmate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "filters": [ { "$state": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 76fe6d94f4692..c92b801995837 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -3,6 +3,14 @@ "false_positives": [ "This signal does not indicate that a SQL injection attack occured, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Web Application Suspicious Activity: sqlmap User Agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts index 0120a90df58ae..a169e5107c316 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts @@ -38,7 +38,7 @@ export const updatePrepackagedRules = async ( tags, to, type, - threats, + threat, references, version, } = rule; @@ -70,7 +70,7 @@ export const updatePrepackagedRules = async ( tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts index c4d78e83eebd6..e37e899c7de51 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts @@ -103,7 +103,7 @@ export const updateRules = async ({ name, severity, tags, - threats, + threat, to, type, references, @@ -133,7 +133,7 @@ export const updateRules = async ({ name, severity, tags, - threats, + threat, to, type, references, @@ -161,7 +161,7 @@ export const updateRules = async ({ maxSignals, riskScore, severity, - threats, + threat, to, type, updatedAt: new Date().toISOString(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson index 4c45ac7a1b38b..e395916363ab6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson @@ -1,3 +1,3 @@ -{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} -{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} +{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} +{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} {"exported_count":2,"missing_rules":[],"missing_rules_count":0} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json index c03a76942e4d2..fec582ce77295 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json @@ -1,11 +1,11 @@ { "name": "Query which has Mitre Attack Data", - "description": "Example query which has Mitre Attack Data as threats", + "description": "Example query which has Mitre Attack Data as threat", "risk_score": 1, "severity": "high", "type": "query", "query": "user.name: root or user.name: admin", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json index 8fa8b6da83bc3..082dd5205a142 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json @@ -40,7 +40,7 @@ "from": "now-6m", "severity": "high", "type": "query", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json index d2f0ccba38572..9d8b0d6b4922d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json @@ -40,7 +40,7 @@ "from": "now-6m", "severity": "high", "type": "saved_query", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson index 744bd1e078a41..31acaa5bd9803 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson @@ -1,4 +1,4 @@ -{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1}, -{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} -{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-3","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} +{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1}, +{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} +{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-3","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} {"exported_count":2,"missing_rules":[],"missing_rules_count":0} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json index 3dcc7016cb983..eb210cd8153d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json @@ -40,7 +40,7 @@ "from": "now-6m", "severity": "high", "type": "query", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json index 8cba054d4d205..48b00930412b4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json @@ -13,13 +13,8 @@ "id": "e6f890af316a25920c951acefc46bfef", "name": "suricata-iowa", "containerized": false, - "ip": [ - "10.128.0.21", - "fe80::4001:aff:fe80:15" - ], - "mac": [ - "42:01:0a:80:00:15" - ], + "ip": ["10.128.0.21", "fe80::4001:aff:fe80:15"], + "mac": ["42:01:0a:80:00:15"], "hostname": "suricata-iowa" }, "client": { @@ -73,11 +68,8 @@ "bytes": 80 }, "process": { - "args": [ - "\/usr\/bin\/python3", - "\/usr\/bin\/google_network_daemon" - ], - "executable": "\/usr\/bin\/python3.7", + "args": ["/usr/bin/python3", "/usr/bin/google_network_daemon"], + "executable": "/usr/bin/python3.7", "created": "2019-11-04T15:01:04.190Z", "pid": 808, "name": "google_network_" @@ -137,38 +129,26 @@ "rule": { "id": "8d9bb7f1-9d8a-4f13-ae18-ccaf4ff61893", "rule_id": "rule-1", - "false_positives": [ - - ], + "false_positives": [], "max_signals": 100, "risk_score": 1, "description": "Detecting root and admin users", "from": "now-6s", "immutable": false, - "index": [ - "auditbeat-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], + "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "winlogbeat-*"], "interval": "5s", "language": "kuery", - "name": "Detect Root\/Admin Users", + "name": "Detect Root/Admin Users", "query": "user.name: root or user.name: admin", - "references": [ - "http:\/\/www.example.com", - "https:\/\/ww.example.com" - ], + "references": ["http://www.example.com", "https://ww.example.com"], "severity": "high", - "tags": [ - - ], + "tags": [], "type": "query", "to": "now", "enabled": true, "created_by": "elastic", "updated_by": "elastic", - "threats": [ + "threat": [ { "framework": "fake", "technique": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts index 9a79b27bac7e9..6507e6ca73ede 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -33,7 +33,7 @@ export const sampleRuleAlertParams = ( timelineId: undefined, timelineTitle: undefined, meta: undefined, - threats: undefined, + threat: undefined, version: 1, updatedAt: '2019-12-17T15:04:25.343Z', createdAt: '2019-12-17T15:04:37.105Z', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts index 1093ff3a8a462..ba1b2f695156b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts @@ -56,7 +56,7 @@ export const buildRule = ({ filters: ruleParams.filters, created_by: createdBy, updated_by: updatedBy, - threats: ruleParams.threats, + threat: ruleParams.threat, version: ruleParams.version, created_at: ruleParams.createdAt, updated_at: ruleParams.updatedAt, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts index 5b0185cf3a6f8..370ed65280849 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -53,7 +53,7 @@ export const signalRulesAlertType = ({ maxSignals: schema.number({ defaultValue: DEFAULT_MAX_SIGNALS }), riskScore: schema.number(), severity: schema.string(), - threats: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))), + threat: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))), to: schema.string(), type: schema.string(), updatedAt: schema.string(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts index 23f538cfae685..d1c9845dbbcfc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts @@ -46,7 +46,7 @@ export interface RuleAlertParams { to: string; timelineId: string | undefined | null; timelineTitle: string | undefined | null; - threats: ThreatParams[] | undefined | null; + threat: ThreatParams[] | undefined | null; type: 'query' | 'saved_query'; version: number; updatedAt: string; diff --git a/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts b/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts index 237e419368376..f85fb2c9fd753 100644 --- a/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts @@ -307,7 +307,7 @@ export const signalFieldsMap: Readonly> = { 'signal.rule.references': 'signal.rule.references', 'signal.rule.severity': 'signal.rule.severity', 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threats': 'signal.rule.threats', + 'signal.rule.threat': 'signal.rule.threat', 'signal.rule.type': 'signal.rule.type', 'signal.rule.size': 'signal.rule.size', 'signal.rule.enabled': 'signal.rule.enabled', From 6cb92b723cb55936bba16518c183397a58b14220 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 20:28:25 -0700 Subject: [PATCH 7/9] Updated signal mapping --- .../routes/index/signals_mapping.json | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json index fc936444db699..4986c100f1b0b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json @@ -88,7 +88,37 @@ "type": "keyword" }, "threat": { - "type": "object" + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } }, "type": { "type": "keyword" From 96ca72608e118f61ab103314fa4a06cee492f35c Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 20:51:14 -0700 Subject: [PATCH 8/9] Changed EIA to use the tag of Elastic and added Elastic to the other tags --- .../rules/prepackaged_rules/500_response_on_admin_page.json | 1 + ...eql_adding_the_hidden_file_attribute_with_via_attribexe.json | 2 +- .../rules/prepackaged_rules/eql_adobe_hijack_persistence.json | 2 +- .../prepackaged_rules/eql_audio_capture_via_powershell.json | 2 +- .../prepackaged_rules/eql_audio_capture_via_soundrecorder.json | 2 +- .../rules/prepackaged_rules/eql_bypass_uac_event_viewer.json | 2 +- .../rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json | 2 +- .../rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json | 2 +- .../prepackaged_rules/eql_clearing_windows_event_logs.json | 2 +- .../eql_delete_volume_usn_journal_with_fsutil.json | 2 +- .../eql_deleting_backup_catalogs_with_wbadmin.json | 2 +- .../prepackaged_rules/eql_direct_outbound_smb_connection.json | 2 +- .../eql_disable_windows_firewall_rules_with_netsh.json | 2 +- .../rules/prepackaged_rules/eql_dll_search_order_hijack.json | 2 +- .../eql_encoding_or_decoding_files_via_certutil.json | 2 +- .../prepackaged_rules/eql_local_scheduled_task_commands.json | 2 +- .../rules/prepackaged_rules/eql_local_service_commands.json | 2 +- .../eql_modification_of_boot_configuration.json | 2 +- .../eql_msbuild_making_network_connections.json | 2 +- .../prepackaged_rules/eql_mshta_making_network_connections.json | 2 +- .../prepackaged_rules/eql_msxsl_making_network_connections.json | 2 +- .../prepackaged_rules/eql_psexec_lateral_movement_command.json | 2 +- .../eql_suspicious_ms_office_child_process.json | 2 +- .../eql_suspicious_ms_outlook_child_process.json | 2 +- .../eql_suspicious_pdf_reader_child_process.json | 2 +- .../rules/prepackaged_rules/eql_system_shells_via_services.json | 2 +- .../eql_unusual_network_connection_via_rundll32.json | 2 +- .../prepackaged_rules/eql_unusual_parentchild_relationship.json | 2 +- .../eql_unusual_process_network_connection.json | 2 +- .../rules/prepackaged_rules/eql_user_account_creation.json | 2 +- .../eql_user_added_to_administrator_group.json | 2 +- .../eql_volume_shadow_copy_deletion_via_vssadmin.json | 2 +- .../eql_volume_shadow_copy_deletion_via_wmic.json | 2 +- .../eql_windows_script_executing_powershell.json | 2 +- .../prepackaged_rules/eql_wmic_command_lateral_movement.json | 2 +- .../rules/prepackaged_rules/linux_kernel_module_activity.json | 2 +- .../rules/prepackaged_rules/linux_lzop_activity.json | 1 + .../linux_network_anomalous_process_using_https_ports.json | 1 + .../rules/prepackaged_rules/linux_ptrace_activity.json | 1 + .../rules/prepackaged_rules/linux_rawshark_activity.json | 1 + .../rules/prepackaged_rules/linux_web_download.json | 1 + .../rules/prepackaged_rules/network_port_8000_activity.json | 1 + ...ligent_transfer_service_bits_connecting_to_the_internet.json | 1 + .../rules/prepackaged_rules/windows_burp_ce_activity.json | 1 + .../windows_certutil_connecting_to_the_internet.json | 1 + .../windows_command_prompt_connecting_to_the_internet.json | 1 + .../windows_command_shell_started_by_internet_explorer.json | 1 + .../windows_command_shell_started_by_powershell.json | 1 + .../windows_command_shell_started_by_svchost.json | 1 + .../prepackaged_rules/windows_credential_dumping_commands.json | 1 + .../windows_credential_dumping_via_imageload.json | 1 + .../windows_credential_dumping_via_registry_save.json | 1 + .../windows_data_compression_using_powershell.json | 1 + .../windows_defense_evasion_decoding_using_certutil.json | 1 + ...windows_defense_evasion_or_persistence_via_hidden_files.json | 1 + .../windows_defense_evasion_via_filter_manager.json | 1 + .../windows_defense_evasion_via_windows_event_log_tools.json | 1 + .../windows_execution_via_compiled_html_file.json | 1 + .../windows_execution_via_connection_manager.json | 1 + .../windows_execution_via_microsoft_html_application_hta.json | 1 + .../windows_execution_via_net_com_assemblies.json | 1 + .../rules/prepackaged_rules/windows_execution_via_regsvr32.json | 1 + .../windows_execution_via_trusted_developer_utilities.json | 1 + ...html_help_executable_program_connecting_to_the_internet.json | 1 + .../windows_image_load_from_a_temp_directory.json | 1 + .../prepackaged_rules/windows_indirect_command_execution.json | 1 + .../rules/prepackaged_rules/windows_iodine_activity.json | 1 + .../windows_management_instrumentation_wmi_execution.json | 1 + ...crosoft_html_application_hta_connecting_to_the_internet.json | 1 + .../rules/prepackaged_rules/windows_mimikatz_activity.json | 1 + .../windows_misc_lolbin_connecting_to_the_internet.json | 1 + .../windows_net_command_activity_by_the_system_account.json | 1 + .../prepackaged_rules/windows_net_user_command_activity.json | 1 + .../rules/prepackaged_rules/windows_netcat_activity.json | 1 + .../prepackaged_rules/windows_netcat_network_activity.json | 1 + ...ows_network_anomalous_windows_process_using_https_ports.json | 1 + .../rules/prepackaged_rules/windows_nmap_activity.json | 1 + .../rules/prepackaged_rules/windows_nmap_scan_activity.json | 1 + .../windows_payload_obfuscation_via_certutil.json | 1 + .../windows_persistence_or_priv_escalation_via_hooking.json | 1 + .../windows_persistence_via_application_shimming.json | 1 + .../prepackaged_rules/windows_persistence_via_bits_jobs.json | 1 + ...indows_persistence_via_modification_of_existing_service.json | 1 + .../windows_persistence_via_netshell_helper_dll.json | 1 + .../windows_powershell_connecting_to_the_internet.json | 1 + .../windows_priv_escalation_via_accessibility_features.json | 1 + .../windows_process_discovery_via_tasklist_command.json | 1 + .../prepackaged_rules/windows_process_execution_via_wmi.json | 1 + ...dows_process_started_by_acrobat_reader_possible_payload.json | 1 + ...s_process_started_by_ms_office_program_possible_payload.json | 1 + .../windows_process_started_by_the_java_runtime.json | 1 + .../rules/prepackaged_rules/windows_psexec_activity.json | 1 + ...dows_register_server_program_connecting_to_the_internet.json | 1 + .../rules/prepackaged_rules/windows_registry_query_local.json | 1 + .../rules/prepackaged_rules/windows_registry_query_network.json | 1 + .../prepackaged_rules/windows_remote_management_execution.json | 1 + .../prepackaged_rules/windows_scheduled_task_activity.json | 1 + .../windows_script_interpreter_connecting_to_the_internet.json | 1 + .../windows_signed_binary_proxy_execution.json | 1 + .../windows_signed_binary_proxy_execution_download.json | 1 + .../windows_suspicious_process_started_by_a_script.json | 1 + .../prepackaged_rules/windows_whoami_command_activity.json | 1 + .../rules/prepackaged_rules/windows_windump_activity.json | 1 + .../rules/prepackaged_rules/windows_wireshark_activity.json | 1 + 104 files changed, 104 insertions(+), 35 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json index d9f4b6ad709af..3b4bcbe670921 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "054f669c-b065-492e-acd9-15e44fc42380", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 33a51b507709f..6843f622bee8f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 1721c9fa108ef..fcc105f2447e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index b8d97949d5499..feaa8451754a5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index da10251bc5bbc..0365616e86faf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index d0ccf666c8ef8..e3d57d2b05503 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index 03288c2e7b937..0d9346a7e1f88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index f71a5835046af..3e99f1be6bf2e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index fb8ad7c84ec6e..9d8d3bab1ace7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index d09b99b4db789..e69de058960d4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index d9d4c6980ae8a..cbf51ffb7c20b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 372072ca4c474..5e8321c6777aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 4d2b379cad3e2..c9510913a151f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index abee2a90d53be..214ddfaf0feec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 331d22b0412d2..e531a2d05a97e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index 8c1c9351013bb..426d32b9b1e48 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 7b5f1746c7fea..71f94ecf91788 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index fdd9ba268bd9b..162dfe717df55 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -14,7 +14,7 @@ "risk_score": 75, "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", "severity": "high", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 0d555bcbe0355..296f6f0862374 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index d18a172561596..18c9e286c99ef 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -15,7 +15,7 @@ "risk_score": 50, "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index a4854196c2369..b21b17cd89abf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index a5716db2bef28..3e04dd4be292b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 8a3f8414f4f44..ac66af50ecd1d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index a1e1a3438ac34..928144f0ecf0c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 533d8c3b17682..160da5b899042 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -14,7 +14,7 @@ "risk_score": 75, "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", "severity": "high", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index b54fef4b94a2c..268e8110c508d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index f114875d13f92..7332cc7710347 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 6d4144fea7023..d13d23a9354f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 4e6e33fe2ff5e..138ecbb820513 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index d0d720d8c68ca..9f3ecdb7a7f57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index 0f27141ca83b7..1a0e0f8dcb2ad 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", "severity": "medium", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 8ef7f78b8fc0e..794fec38b380e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -14,7 +14,7 @@ "risk_score": 75, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "high", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index eb8de4621b545..a3e94b08275be 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -14,7 +14,7 @@ "risk_score": 75, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 1fd351d510be0..868d84ef9ebce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -14,7 +14,7 @@ "risk_score": 50, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index bdb45a4f34542..5c2804507cbd2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -14,7 +14,7 @@ "risk_score": 25, "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", - "tags": ["EIA"], + "tags": ["Elastic"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 5adfe254f6df9..1529862571381 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -13,7 +13,7 @@ "risk_score": 25, "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", - "tags": ["EIA", "auditbeat"], + "tags": ["Elastic", "auditbeat"], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json index bea3257137ed0..8061ff72e130b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "d7359214-54a4-4572-9e51-ebf79cda9b04", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json index 0b1527104dc35..f10c940f8bb93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json index 779b2c831cbdc..6f99312c04a00 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json index 7a4ea90f7aea2..148468e959899 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json index 893ef5ef58e18..311e2b5779602 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json index 2744d022f1402..73a634a3a9f42 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json index 574f40496bc2d..91abe1368b011 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json index 8202b248a9956..f3e62405d6e18 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json index 4222370c2dcad..451a1ad4942de 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index 3c01d7d12afd3..6a2a9213a94a9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json index 671277e3dceb7..92edd71a665dd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index 386e429de76a1..663b2485fab93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index 2fd16c3186d1e..73ab27a131e3d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json index 82e212f018ad8..9516b80412582 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "66885745-ea38-432c-9edb-599b943948d4", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json index 3bf85c3592fb7..06a9de8f20720 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json index 70badf1eaa265..a19646d2f83cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json index e72805bd54629..9be27cbec023f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json index 6b0f86fee3037..a4126a9b45ec9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json index bf298cd2ade88..edba96cbcc37b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index 027c06cb85bd9..56c2a3ecd7eaf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json index d4818b89a3b21..2f25c7282a87d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index b5a959339baa0..079d33bf0f676 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json index 00f7e9078bfe3..9c8a4f4b47dce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json index 5166efa9d4e98..d986ccbb865f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index fb80c1e21feab..26e99cbb59e48 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index 370bc1cfff6cf..06d4a075c4e6b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index 296d0b09b56ff..bc3ebf38181a0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index e09c2d0ef8bbd..cec9fe4a4aebe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json index 793bf4416f631..3e80b58377af6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json @@ -41,6 +41,7 @@ "risk_score": 50, "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json index 64b62b3135dd4..a7f22358a11d9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json index 17dab9b0ac65a..8aae9dc83a1cd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json index 6436a7e163672..da525a8573264 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json index 7efeca17368a3..2f7a8dbee7c80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json index 3f83cb6184b16..64641bb539cb9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index f56c7e9fd22ec..bb08cd4023e6a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json index 750d1a3b5fdac..fce37db4fae3d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json index fcfe675c55c19..555bb4afb0c10 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json index 6ae39cbf95767..288bc6dd2375b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json index 4fea22bd6fd13..a533cd36ffdcf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json index e5ca52ebe9eec..173e5191d9e65 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json index d1ef7210804a7..dc231e5edce1e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json index b0a170d67f98b..ccd49169e6497 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json index 9de97cd34036d..f7a331ca01474 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json index e837190667722..379cab0f07438 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index 531f4231fd6ea..ca5daf772a22e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json index f892a437f7912..4c6515f33fad0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json index 71c66296e8431..01b56a1ecd1e0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json index 7f36aaf96f588..50b31aa7033eb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json index 6a9b6e343a6da..5198f85b999ac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index 753038e3134d9..f24460373f55d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 9e952233c3ac9..fd2bfcf216bf3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json index febf68c7523f6..1e14de81b7cb2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "7e6cd4b9-6346-4683-b3e6-6a3e66f3208f", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json index ae9c23409f99e..973a7df57f712 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b6422896-b6e3-45c3-9d9e-4eccb2a25270", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json index fbc6f2a54de9d..cb7b234c21f8c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "838dcec6-ce9a-4cdd-9ca8-f6512cf6d559", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json index 77974c687b4e9..c684be0732064 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json index 6314850572b47..e4c91b6f89cd4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "3e61ab8b-0f39-4d2e-ab64-332f0d0b3ad7", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index 65b0deb30716d..a106eda988e94 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json index 2f08a68fec577..49642d271d4ea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json index 9172398151ed3..884deb7645a67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json index b6ab642a2cb30..08d96ad741502 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json index ade47d2a70e06..56f5b71ceb510 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json index 27dcd02356440..a700ac0a48bc2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index 6638ac5ad4206..1dc62c7b5db42 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json index f342425c7dbd0..717d99ee7901c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json index 4cb62186ab3f4..82733cbb6b21c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index f4c9e2af2ff64..768cd65c5e4f5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json index ebafb8a416505..4f33e95cfe2e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "a342cfcb-8420-46a4-8d85-53edc631e0d6", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json index 833b3d99bb2e9..72db4aed03c88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json @@ -14,6 +14,7 @@ "risk_score": 50, "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", "severity": "low", + "tags": ["Elastic"], "type": "query", "version": 1 } From e57c6a2bbc8c0d7b4fb918745aada064e0f05731 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 24 Jan 2020 20:57:44 -0700 Subject: [PATCH 9/9] Added signal threat tactic name --- .../components/signals_histogram_panel/config.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts index d475fd155ea25..2c5a1ddd9a010 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts @@ -9,6 +9,7 @@ import { SignalsHistogramOption } from './types'; export const signalsHistogramOptions: SignalsHistogramOption[] = [ { text: 'signal.rule.risk_score', value: 'signal.rule.risk_score' }, { text: 'signal.rule.severity', value: 'signal.rule.severity' }, + { text: 'signal.rule.threat.tactic.name', value: 'signal.rule.threat.tactic.name' }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, { text: 'event.category', value: 'event.category' },