From 925cb6825644d0ec2342f7c4860e1bc1f812ec30 Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Fri, 24 Jan 2020 22:18:52 -0700 Subject: [PATCH] [SIEM][Detection Engine] Critical blocker rule changes and ECS changes * Changes ECS `techniques` to the word `technique` as `techniques` is incorrect ECS and incorrect mapping and without this our product could crash * Changes ECS `threats` to the word `threat` as `threats` is incorrect ECS and incorrect mapping and without this our product could crash * Added histogram mapping for `signal.rule.threat.tactic.name` as that was missing * Added `Elastic` and removed `EIA` for tags * Updates unit tests * Cleans up rules by removing extra characters and removing fields not required. * Adds concrete index'es as this was a critical breaking bug * Fixes issues with imports where imports could change an immutable from false to true and suddenly cause out of band immutables to occur. Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) --- .../detection_engine/rules/types.ts | 4 +- .../siem/public/graphql/introspection.json | 2 +- .../plugins/siem/public/graphql/types.ts | 2 +- .../signals_histogram_panel/config.ts | 1 + .../mitre/mitre_tactics_techniques.ts | 2 +- .../rules/all/__mocks__/mock.ts | 6 +- .../components/description_step/helpers.tsx | 25 ++-- .../components/description_step/index.tsx | 10 +- .../components/description_step/types.ts | 4 +- .../rules/components/mitre/helpers.ts | 4 +- .../rules/components/mitre/index.tsx | 16 +-- .../rules/components/mitre/translations.ts | 2 +- .../step_about_rule/default_value.ts | 6 +- .../components/step_about_rule/index.tsx | 6 +- .../components/step_about_rule/schema.tsx | 4 +- .../detection_engine/rules/create/helpers.ts | 20 +-- .../pages/detection_engine/rules/helpers.tsx | 4 +- .../pages/detection_engine/rules/types.ts | 6 +- .../overview/signals_by_category/index.tsx | 2 +- .../siem/server/graphql/ecs/schema.gql.ts | 2 +- .../plugins/siem/server/graphql/types.ts | 6 +- .../routes/__mocks__/request_responses.ts | 12 +- .../routes/index/signals_mapping.json | 34 ++++- .../routes/rules/create_rules_bulk_route.ts | 4 +- .../routes/rules/create_rules_route.ts | 4 +- .../routes/rules/import_rules_route.ts | 6 +- .../routes/rules/update_rules_bulk_route.ts | 4 +- .../routes/rules/update_rules_route.ts | 4 +- .../routes/rules/utils.test.ts | 56 ++++---- .../detection_engine/routes/rules/utils.ts | 2 +- .../add_prepackaged_rules_schema.test.ts | 133 ++++-------------- .../schemas/add_prepackaged_rules_schema.ts | 14 +- .../schemas/create_rules_schema.test.ts | 44 +++--- .../routes/schemas/create_rules_schema.ts | 4 +- .../schemas/import_rules_schema.test.ts | 85 +++++++---- .../routes/schemas/import_rules_schema.ts | 6 +- .../routes/schemas/schemas.ts | 4 +- .../schemas/update_rules_schema.test.ts | 54 +++---- .../routes/schemas/update_rules_schema.ts | 4 +- .../detection_engine/rules/create_rules.ts | 4 +- .../create_rules_stream_from_ndjson.test.ts | 20 +-- .../rules/get_export_all.test.ts | 2 +- .../rules/get_export_by_object_ids.test.ts | 6 +- .../rules/install_prepacked_rules.ts | 4 +- .../403_response_to_a_post.json | 23 ++- .../405_response_method_not_allowed.json | 23 ++- .../500_response_on_admin_page.json | 15 +- ...den_file_attribute_with_via_attribexe.json | 26 ++-- .../eql_adobe_hijack_persistence.json | 22 +-- .../eql_audio_capture_via_powershell.json | 22 +-- .../eql_audio_capture_via_soundrecorder.json | 22 +-- .../eql_bypass_uac_event_viewer.json | 22 +-- .../eql_bypass_uac_via_cmstp.json | 22 +-- .../eql_bypass_uac_via_sdclt.json | 22 +-- .../eql_clearing_windows_event_logs.json | 22 +-- ...delete_volume_usn_journal_with_fsutil.json | 22 +-- ...deleting_backup_catalogs_with_wbadmin.json | 22 +-- .../eql_direct_outbound_smb_connection.json | 22 +-- ...ble_windows_firewall_rules_with_netsh.json | 22 +-- .../eql_dll_search_order_hijack.json | 24 ++-- ...coding_or_decoding_files_via_certutil.json | 22 +-- .../eql_local_scheduled_task_commands.json | 22 +-- .../eql_local_service_commands.json | 22 +-- ...ql_modification_of_boot_configuration.json | 22 +-- ...ql_msbuild_making_network_connections.json | 22 +-- .../eql_mshta_making_network_connections.json | 26 ++-- .../eql_msxsl_making_network_connections.json | 22 +-- .../eql_psexec_lateral_movement_command.json | 18 +-- ...ql_suspicious_ms_office_child_process.json | 22 +-- ...l_suspicious_ms_outlook_child_process.json | 24 ++-- ...l_suspicious_pdf_reader_child_process.json | 22 +-- .../eql_system_shells_via_services.json | 22 +-- ...usual_network_connection_via_rundll32.json | 22 +-- .../eql_unusual_parentchild_relationship.json | 24 ++-- ...ql_unusual_process_network_connection.json | 22 +-- .../eql_user_account_creation.json | 22 +-- ...eql_user_added_to_administrator_group.json | 22 +-- ...ume_shadow_copy_deletion_via_vssadmin.json | 24 ++-- ..._volume_shadow_copy_deletion_via_wmic.json | 24 ++-- ...l_windows_script_executing_powershell.json | 22 +-- .../eql_wmic_command_lateral_movement.json | 24 ++-- .../linux_hping_activity.json | 22 ++- .../linux_iodine_activity.json | 22 ++- .../linux_kernel_module_activity.json | 19 +-- .../linux_ldso_process_activity.json | 19 ++- .../linux_lzop_activity.json | 15 +- .../linux_mknod_activity.json | 22 ++- .../linux_netcat_network_connection.json | 18 +-- ...k_anomalous_process_using_https_ports.json | 15 +- .../linux_nmap_activity.json | 22 ++- .../linux_nping_activity.json | 22 ++- ...nux_process_started_in_temp_directory.json | 18 +-- .../linux_ptrace_activity.json | 14 +- .../linux_rawshark_activity.json | 14 +- .../linux_shell_activity_by_web_server.json | 23 +-- .../linux_socat_activity.json | 18 +-- .../linux_ssh_forwarding.json | 27 ++-- .../linux_strace_activity.json | 22 ++- .../linux_tcpdump_activity.json | 24 ++-- .../prepackaged_rules/linux_web_download.json | 14 +- .../linux_whoami_commmand.json | 21 +-- .../network_dns_directly_to_the_internet.json | 23 ++- ...fer_protocol_activity_to_the_internet.json | 24 ++-- ...hat_protocol_activity_to_the_internet.json | 24 ++-- .../network_nat_traversal_port_activity.json | 17 ++- .../network_port_26_activity.json | 24 ++-- .../network_port_8000_activity.json | 15 +- ...rk_port_8000_activity_to_the_internet.json | 21 +-- ..._to_point_tunneling_protocol_activity.json | 18 +-- ...k_proxy_port_activity_to_the_internet.json | 22 +-- ...te_desktop_protocol_from_the_internet.json | 22 +-- ...mote_desktop_protocol_to_the_internet.json | 24 ++-- ...mote_procedure_call_from_the_internet.json | 22 +-- ...remote_procedure_call_to_the_internet.json | 22 +-- ...file_sharing_activity_to_the_internet.json | 24 ++-- .../network_smtp_to_the_internet.json | 24 ++-- ..._server_port_activity_to_the_internet.json | 18 +-- ...rk_ssh_secure_shell_from_the_internet.json | 24 ++-- ...work_ssh_secure_shell_to_the_internet.json | 22 +-- .../network_telnet_port_activity.json | 24 ++-- .../network_tor_activity_to_the_internet.json | 22 +-- ...l_network_computing_from_the_internet.json | 24 ++-- ...ual_network_computing_to_the_internet.json | 22 +-- .../prepackaged_rules/null_user_agent.json | 22 ++- .../prepackaged_rules/sqlmap_user_agent.json | 23 ++- ...rvice_bits_connecting_to_the_internet.json | 15 +- .../windows_burp_ce_activity.json | 15 +- ...s_certutil_connecting_to_the_internet.json | 15 +- ...and_prompt_connecting_to_the_internet.json | 15 +- ...nd_shell_started_by_internet_explorer.json | 14 +- ...s_command_shell_started_by_powershell.json | 14 +- ...dows_command_shell_started_by_svchost.json | 14 +- .../windows_credential_dumping_commands.json | 15 +- ...dows_credential_dumping_via_imageload.json | 15 +- ..._credential_dumping_via_registry_save.json | 15 +- ...ows_data_compression_using_powershell.json | 15 +- ...fense_evasion_decoding_using_certutil.json | 15 +- ...asion_or_persistence_via_hidden_files.json | 15 +- ...ws_defense_evasion_via_filter_manager.json | 15 +- ...e_evasion_via_windows_event_log_tools.json | 15 +- ...dows_execution_via_compiled_html_file.json | 15 +- ...dows_execution_via_connection_manager.json | 15 +- ...on_via_microsoft_html_application_hta.json | 15 +- ...dows_execution_via_net_com_assemblies.json | 15 +- .../windows_execution_via_regsvr32.json | 15 +- ...ution_via_trusted_developer_utilities.json | 15 +- ...le_program_connecting_to_the_internet.json | 15 +- ...dows_image_load_from_a_temp_directory.json | 14 +- .../windows_indirect_command_execution.json | 15 +- .../windows_iodine_activity.json | 15 +- ...agement_instrumentation_wmi_execution.json | 15 +- ...cation_hta_connecting_to_the_internet.json | 15 +- .../windows_mimikatz_activity.json | 14 +- ...isc_lolbin_connecting_to_the_internet.json | 15 +- ...ommand_activity_by_the_system_account.json | 14 +- .../windows_net_user_command_activity.json | 14 +- .../windows_netcat_activity.json | 14 +- .../windows_netcat_network_activity.json | 14 +- ...ous_windows_process_using_https_ports.json | 15 +- .../windows_nmap_activity.json | 14 +- .../windows_nmap_scan_activity.json | 14 +- ...dows_payload_obfuscation_via_certutil.json | 15 +- ...stence_or_priv_escalation_via_hooking.json | 15 +- ..._persistence_via_application_shimming.json | 15 +- .../windows_persistence_via_bits_jobs.json | 15 +- ..._via_modification_of_existing_service.json | 15 +- ...s_persistence_via_netshell_helper_dll.json | 15 +- ...powershell_connecting_to_the_internet.json | 15 +- ...escalation_via_accessibility_features.json | 15 +- ...rocess_discovery_via_tasklist_command.json | 15 +- .../windows_process_execution_via_wmi.json | 15 +- ...ed_by_acrobat_reader_possible_payload.json | 14 +- ...by_ms_office_program_possible_payload.json | 14 +- ...s_process_started_by_the_java_runtime.json | 14 +- .../windows_psexec_activity.json | 15 +- ...er_program_connecting_to_the_internet.json | 15 +- .../windows_registry_query_local.json | 15 +- .../windows_registry_query_network.json | 15 +- .../windows_remote_management_execution.json | 15 +- .../windows_scheduled_task_activity.json | 15 +- ...nterpreter_connecting_to_the_internet.json | 15 +- ...windows_signed_binary_proxy_execution.json | 15 +- ...igned_binary_proxy_execution_download.json | 15 +- ...uspicious_process_started_by_a_script.json | 14 +- .../windows_whoami_command_activity.json | 14 +- .../windows_windump_activity.json | 15 +- .../windows_wireshark_activity.json | 15 +- .../rules/update_prepacked_rules.ts | 4 +- .../detection_engine/rules/update_rules.ts | 6 +- .../import/multiple_ruleid_queries.ndjson | 4 +- .../rules/queries/query_mitre_attack.json | 8 +- .../rules/queries/query_with_everything.json | 6 +- .../saved_query_with_everything.json | 6 +- .../multiple_ruleid_queries_corrupted.ndjson | 6 +- .../signals_on_signals/depth_test/README.md | 2 +- .../signals_on_signals/halting_test/README.md | 2 +- .../updates/update_query_everything.json | 6 +- .../scripts/signals/sample_signal.json | 40 ++---- .../signals/__mocks__/es_results.ts | 2 +- .../detection_engine/signals/build_rule.ts | 2 +- .../signals/signal_rule_alert_type.ts | 2 +- .../siem/server/lib/detection_engine/types.ts | 4 +- .../siem/server/lib/ecs_fields/index.ts | 2 +- 203 files changed, 1757 insertions(+), 1646 deletions(-) diff --git a/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts b/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts index 2e776738547df..b30c3b211b1b8 100644 --- a/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts +++ b/x-pack/legacy/plugins/siem/public/containers/detection_engine/rules/types.ts @@ -30,7 +30,7 @@ export const NewRuleSchema = t.intersection([ rule_id: t.string, saved_id: t.string, tags: t.array(t.string), - threats: t.array(t.unknown), + threat: t.array(t.unknown), to: t.string, updated_by: t.string, }), @@ -73,7 +73,7 @@ export const RuleSchema = t.intersection([ tags: t.array(t.string), type: t.string, to: t.string, - threats: t.array(t.unknown), + threat: t.array(t.unknown), updated_at: t.string, updated_by: t.string, }), diff --git a/x-pack/legacy/plugins/siem/public/graphql/introspection.json b/x-pack/legacy/plugins/siem/public/graphql/introspection.json index 35599827ffe42..a9247403bf22c 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/introspection.json +++ b/x-pack/legacy/plugins/siem/public/graphql/introspection.json @@ -4940,7 +4940,7 @@ "deprecationReason": null }, { - "name": "threats", + "name": "threat", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "ToAny", "ofType": null }, diff --git a/x-pack/legacy/plugins/siem/public/graphql/types.ts b/x-pack/legacy/plugins/siem/public/graphql/types.ts index 4b6825268403c..6a24ffcc13020 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/public/graphql/types.ts @@ -1015,7 +1015,7 @@ export interface RuleField { tags?: Maybe; - threats?: Maybe; + threat?: Maybe; type?: Maybe; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts index d475fd155ea25..2c5a1ddd9a010 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts @@ -9,6 +9,7 @@ import { SignalsHistogramOption } from './types'; export const signalsHistogramOptions: SignalsHistogramOption[] = [ { text: 'signal.rule.risk_score', value: 'signal.rule.risk_score' }, { text: 'signal.rule.severity', value: 'signal.rule.severity' }, + { text: 'signal.rule.threat.tactic.name', value: 'signal.rule.threat.tactic.name' }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, { text: 'event.category', value: 'event.category' }, diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts index 160e006c4d267..16ab73365222b 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/mitre/mitre_tactics_techniques.ts @@ -187,7 +187,7 @@ export const tacticsOptions: MitreTacticsOptions[] = [ }, ]; -export const techniques = [ +export const technique = [ { name: '.bash_profile and .bashrc', id: 'T1156', diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts index b62247e8f9a4f..980575f1470a5 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/all/__mocks__/mock.ts @@ -37,7 +37,7 @@ export const mockRule = (id: string): Rule => ({ tags: [], to: 'now', type: 'saved_query', - threats: [], + threat: [], version: 1, }); @@ -87,7 +87,7 @@ export const mockTableData: TableData[] = [ saved_id: "Garrett's IP", severity: 'low', tags: [], - threats: [], + threat: [], timeline_id: '86aa74d0-2136-11ea-9864-ebc8cc1cb8c2', timeline_title: 'Untitled timeline', to: 'now', @@ -136,7 +136,7 @@ export const mockTableData: TableData[] = [ saved_id: "Garrett's IP", severity: 'low', tags: [], - threats: [], + threat: [], timeline_id: '86aa74d0-2136-11ea-9864-ebc8cc1cb8c2', timeline_title: 'Untitled timeline', to: 'now', diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx index 011c008c5b2d2..e1cbc6ee92393 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/helpers.tsx @@ -24,7 +24,7 @@ import { tacticsOptions, techniquesOptions } from '../../../mitre/mitre_tactics_ import { FilterLabel } from './filter_label'; import * as i18n from './translations'; -import { BuildQueryBarDescription, BuildThreatsDescription, ListItems } from './types'; +import { BuildQueryBarDescription, BuildThreatDescription, ListItems } from './types'; import { SeverityBadge } from '../severity_badge'; import ListTreeIcon from './assets/list_tree_icon.svg'; @@ -94,7 +94,7 @@ export const buildQueryBarDescription = ({ return items; }; -const ThreatsEuiFlexGroup = styled(EuiFlexGroup)` +const ThreatEuiFlexGroup = styled(EuiFlexGroup)` .euiFlexItem { margin-bottom: 0px; } @@ -114,25 +114,22 @@ const ReferenceLinkItem = styled(EuiButtonEmpty)` } `; -export const buildThreatsDescription = ({ - label, - threats, -}: BuildThreatsDescription): ListItems[] => { - if (threats.length > 0) { +export const buildThreatDescription = ({ label, threat }: BuildThreatDescription): ListItems[] => { + if (threat.length > 0) { return [ { title: label, description: ( - - {threats.map((threat, index) => { - const tactic = tacticsOptions.find(t => t.id === threat.tactic.id); + + {threat.map((singleThreat, index) => { + const tactic = tacticsOptions.find(t => t.id === singleThreat.tactic.id); return ( - - + + {tactic != null ? tactic.text : ''} - {threat.techniques.map(technique => { + {singleThreat.technique.map(technique => { const myTechnique = techniquesOptions.find(t => t.id === technique.id); return ( @@ -153,7 +150,7 @@ export const buildThreatsDescription = ({ ); })} - + ), }, ]; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx index 8cf1601e2c4b6..f1d2609cde8fe 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx @@ -24,7 +24,7 @@ import { buildQueryBarDescription, buildSeverityDescription, buildStringArrayDescription, - buildThreatsDescription, + buildThreatDescription, buildUnorderedListArrayDescription, buildUrlsDescription, } from './helpers'; @@ -116,11 +116,11 @@ const getDescriptionItem = ( savedId, indexPatterns, }); - } else if (field === 'threats') { - const threats: IMitreEnterpriseAttack[] = get(field, value).filter( - (threat: IMitreEnterpriseAttack) => threat.tactic.name !== 'none' + } else if (field === 'threat') { + const threat: IMitreEnterpriseAttack[] = get(field, value).filter( + (singleThreat: IMitreEnterpriseAttack) => singleThreat.tactic.name !== 'none' ); - return buildThreatsDescription({ label, threats }); + return buildThreatDescription({ label, threat }); } else if (field === 'description') { return [ { diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts index d32fbcd725d12..c120d4a4106d0 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/types.ts @@ -27,7 +27,7 @@ export interface BuildQueryBarDescription { indexPatterns?: IIndexPattern; } -export interface BuildThreatsDescription { +export interface BuildThreatDescription { label: string; - threats: IMitreEnterpriseAttack[]; + threat: IMitreEnterpriseAttack[]; } diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts index 1202fe54ad194..7a28a16214df6 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/helpers.ts @@ -9,9 +9,9 @@ import { IMitreAttack } from '../../types'; export const isMitreAttackInvalid = ( tacticName: string | null | undefined, - techniques: IMitreAttack[] | null | undefined + technique: IMitreAttack[] | null | undefined ) => { - if (isEmpty(tacticName) || (tacticName !== 'none' && isEmpty(techniques))) { + if (isEmpty(tacticName) || (tacticName !== 'none' && isEmpty(technique))) { return true; } return false; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx index f9a22c37cfdf0..d85be053065fc 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/index.tsx @@ -21,7 +21,7 @@ import styled from 'styled-components'; import { tacticsOptions, techniquesOptions } from '../../../mitre/mitre_tactics_techniques'; import * as Rulei18n from '../../translations'; import { FieldHook, getFieldValidityAndErrorMessage } from '../shared_imports'; -import { threatsDefault } from '../step_about_rule/default_value'; +import { threatDefault } from '../step_about_rule/default_value'; import { IMitreEnterpriseAttack } from '../../types'; import { MyAddItemButton } from '../add_item_form'; import { isMitreAttackInvalid } from './helpers'; @@ -49,7 +49,7 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI const values = field.value as string[]; const newValues = [...values.slice(0, index), ...values.slice(index + 1)]; if (isEmpty(newValues)) { - field.setValue(threatsDefault); + field.setValue(threatDefault); } else { field.setValue(newValues); } @@ -62,10 +62,10 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI if (!isEmpty(values[values.length - 1])) { field.setValue([ ...values, - { tactic: { id: 'none', name: 'none', reference: 'none' }, techniques: [] }, + { tactic: { id: 'none', name: 'none', reference: 'none' }, technique: [] }, ]); } else { - field.setValue([{ tactic: { id: 'none', name: 'none', reference: 'none' }, techniques: [] }]); + field.setValue([{ tactic: { id: 'none', name: 'none', reference: 'none' }, technique: [] }]); } }, [field]); @@ -82,7 +82,7 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI { ...values[index], tactic: { id, reference, name }, - techniques: [], + technique: [], }, ...values.slice(index + 1), ]); @@ -96,7 +96,7 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI ...values.slice(0, index), { ...values[index], - techniques: selectedOptions, + technique: selectedOptions, }, ...values.slice(index + 1), ]); @@ -133,9 +133,9 @@ export const AddMitreThreat = ({ dataTestSubj, field, idAria, isDisabled }: AddI ); const getSelectTechniques = (item: IMitreEnterpriseAttack, index: number, disabled: boolean) => { - const invalid = isMitreAttackInvalid(item.tactic.name, item.techniques); + const invalid = isMitreAttackInvalid(item.tactic.name, item.technique); const options = techniquesOptions.filter(t => t.tactics.includes(kebabCase(item.tactic.name))); - const selectedOptions = item.techniques.map(technic => ({ + const selectedOptions = item.technique.map(technic => ({ ...technic, label: `${technic.name} (${technic.id})`, // API doesn't allow for label field })); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts index 557e91691b6c7..bbc12800b7df5 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/mitre/translations.ts @@ -13,7 +13,7 @@ export const TACTIC = i18n.translate('xpack.siem.detectionEngine.mitreAttack.tac export const TECHNIQUE = i18n.translate( 'xpack.siem.detectionEngine.mitreAttack.techniquesDescription', { - defaultMessage: 'technique', + defaultMessage: 'techniques', } ); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts index 92aca1cecf9f3..70bfc2bcddd62 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/default_value.ts @@ -7,11 +7,11 @@ import { AboutStepRule } from '../../types'; import { DEFAULT_TIMELINE_TITLE } from '../../../../../components/timeline/search_super_select/translations'; -export const threatsDefault = [ +export const threatDefault = [ { framework: 'MITRE ATT&CK', tactic: { id: 'none', name: 'none', reference: 'none' }, - techniques: [], + technique: [], }, ]; @@ -28,5 +28,5 @@ export const stepAboutDefaultValue: AboutStepRule = { id: null, title: DEFAULT_TIMELINE_TITLE, }, - threats: threatsDefault, + threat: threatDefault, }; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx index 8370af397bfec..4ae88b3014d19 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/index.tsx @@ -227,12 +227,12 @@ const StepAboutRuleComponent: FC = ({ }} /> diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx index 15b793a502840..22033dcf6b0f7 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_about_rule/schema.tsx @@ -139,7 +139,7 @@ export const schema: FormSchema = { ), labelAppend: OptionalFieldLabel, }, - threats: { + threat: { label: i18n.translate( 'xpack.siem.detectionEngine.createRule.stepAboutRule.fieldMitreThreatLabel', { @@ -155,7 +155,7 @@ export const schema: FormSchema = { const [{ value, path }] = args; let hasError = false; (value as IMitreEnterpriseAttack[]).forEach(v => { - if (isMitreAttackInvalid(v.tactic.name, v.techniques)) { + if (isMitreAttackInvalid(v.tactic.name, v.technique)) { hasError = true; } }); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts index ce91e15cdcf0d..de6678b42df6f 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts @@ -72,15 +72,7 @@ const formatScheduleStepData = (scheduleData: ScheduleStepRule): ScheduleStepRul }; const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRuleJson => { - const { - falsePositives, - references, - riskScore, - threats, - timeline, - isNew, - ...rest - } = aboutStepData; + const { falsePositives, references, riskScore, threat, timeline, isNew, ...rest } = aboutStepData; return { false_positives: falsePositives.filter(item => !isEmpty(item)), references: references.filter(item => !isEmpty(item)), @@ -91,12 +83,12 @@ const formatAboutStepData = (aboutStepData: AboutStepRule): AboutStepRuleJson => timeline_title: timeline.title, } : {}), - threats: threats - .filter(threat => threat.tactic.name !== 'none') - .map(threat => ({ - ...threat, + threat: threat + .filter(singleThreat => singleThreat.tactic.name !== 'none') + .map(singleThreat => ({ + ...singleThreat, framework: 'MITRE ATT&CK', - techniques: threat.techniques.map(technique => { + technique: singleThreat.technique.map(technique => { const { id, name, reference } = technique; return { id, name, reference }; }), diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx index d12d39fdc490a..ce0d50d9b6106 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx @@ -43,9 +43,9 @@ export const getStepsData = ({ rule != null ? { isNew: false, - ...pick(['description', 'name', 'references', 'severity', 'tags', 'threats'], rule), + ...pick(['description', 'name', 'references', 'severity', 'tags', 'threat'], rule), ...(detailsView ? { name: '' } : {}), - threats: rule.threats as IMitreEnterpriseAttack[], + threat: rule.threat as IMitreEnterpriseAttack[], falsePositives: rule.false_positives, riskScore: rule.risk_score, timeline: { diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts index 2b50e32a367ec..effaa90d685df 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/types.ts @@ -76,7 +76,7 @@ export interface AboutStepRule extends StepRuleData { falsePositives: string[]; tags: string[]; timeline: FieldValueTimeline; - threats: IMitreEnterpriseAttack[]; + threat: IMitreEnterpriseAttack[]; } export interface DefineStepRule extends StepRuleData { @@ -109,7 +109,7 @@ export interface AboutStepRuleJson { tags: string[]; timeline_id?: string; timeline_title?: string; - threats: IMitreEnterpriseAttack[]; + threat: IMitreEnterpriseAttack[]; } export interface ScheduleStepRuleJson { @@ -134,5 +134,5 @@ export interface IMitreAttack { export interface IMitreEnterpriseAttack { framework: string; tactic: IMitreAttack; - techniques: IMitreAttack[]; + technique: IMitreAttack[]; } diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx index 8819c3642b68b..f85dacaa647e6 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx @@ -63,7 +63,7 @@ export const SignalsByCategory = React.memo( showLinkToSignals={true} defaultStackByOption={{ text: `${i18n.SIGNALS_BY_CATEGORY}`, - value: 'signal.rule.threats', + value: 'signal.rule.threat', }} legendPosition={'right'} to={to} diff --git a/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts b/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts index 9f57155d4d189..730e6b884a182 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts @@ -399,7 +399,7 @@ export const ecsSchema = gql` references: ToStringArray severity: ToStringArray tags: ToStringArray - threats: ToAny + threat: ToAny type: ToStringArray size: ToStringArray to: ToStringArray diff --git a/x-pack/legacy/plugins/siem/server/graphql/types.ts b/x-pack/legacy/plugins/siem/server/graphql/types.ts index bc7486777b990..303262ece5c7f 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/types.ts @@ -1017,7 +1017,7 @@ export interface RuleField { tags?: Maybe; - threats?: Maybe; + threat?: Maybe; type?: Maybe; @@ -4994,7 +4994,7 @@ export namespace RuleFieldResolvers { tags?: TagsResolver, TypeParent, TContext>; - threats?: ThreatsResolver, TypeParent, TContext>; + threat?: ThreatResolver, TypeParent, TContext>; type?: TypeResolver, TypeParent, TContext>; @@ -5112,7 +5112,7 @@ export namespace RuleFieldResolvers { Parent = RuleField, TContext = SiemContext > = Resolver; - export type ThreatsResolver< + export type ThreatResolver< R = Maybe, Parent = RuleField, TContext = SiemContext diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 582def5ed7bdf..602bf3ce9699f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -34,11 +34,11 @@ export const mockPrepackagedRule = (): PrepackagedRules => ({ severity: 'high', query: 'user.name: root or user.name: admin', language: 'kuery', - threats: [ + threat: [ { framework: 'fake', tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' }, - techniques: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], + technique: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], }, ], enabled: true, @@ -69,11 +69,11 @@ export const typicalPayload = (): Partial => ({ severity: 'high', query: 'user.name: root or user.name: admin', language: 'kuery', - threats: [ + threat: [ { framework: 'fake', tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' }, - techniques: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], + technique: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], }, ], }); @@ -298,7 +298,7 @@ export const getResult = (): RuleAlertType => ({ severity: 'high', to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -306,7 +306,7 @@ export const getResult = (): RuleAlertType => ({ name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json index 4f3ba768b17b0..4986c100f1b0b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json @@ -87,8 +87,38 @@ "tags": { "type": "keyword" }, - "threats": { - "type": "object" + "threat": { + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } }, "type": { "type": "keyword" diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts index 1fe73f5ba196f..947d05253a8eb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts @@ -69,7 +69,7 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou name, severity, tags, - threats, + threat, to, type, updated_at: updatedAt, @@ -127,7 +127,7 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou tags, to, type, - threats, + threat, updatedAt, references, version, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts index 23acd12d341ed..d844936be3961 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts @@ -55,7 +55,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = name, severity, tags, - threats, + threat, to, type, updated_at: updatedAt, @@ -114,7 +114,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, updatedAt, references, version: 1, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts index 6efaa1fea60d0..21fdd9a3cdff8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts @@ -104,7 +104,7 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = name, severity, tags, - threats, + threat, to, type, references, @@ -153,7 +153,7 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, updatedAt: new Date().toISOString(), references, version, @@ -188,7 +188,7 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts index e0d2672cf356a..5f75696a368d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts @@ -69,7 +69,7 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou tags, to, type, - threats, + threat, references, version, } = payloadRule; @@ -102,7 +102,7 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts index 49c9304ae2d25..99dc7ebfa27c5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts @@ -52,7 +52,7 @@ export const createUpdateRulesRoute: Hapi.ServerRoute = { tags, to, type, - threats, + threat, references, version, } = request.payload; @@ -94,7 +94,7 @@ export const createUpdateRulesRoute: Hapi.ServerRoute = { tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts index c1b4c7de73f68..ec11a8fb2da39 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts @@ -52,7 +52,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -60,7 +60,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -115,7 +115,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -123,7 +123,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -180,7 +180,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -188,7 +188,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -245,7 +245,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -253,7 +253,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -308,7 +308,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -316,7 +316,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -374,7 +374,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -382,7 +382,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -440,7 +440,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -448,7 +448,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -506,7 +506,7 @@ describe('utils', () => { severity: 'high', updated_by: 'elastic', tags: ['tag 1', 'tag 2'], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -514,7 +514,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -623,7 +623,7 @@ describe('utils', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -631,7 +631,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -696,7 +696,7 @@ describe('utils', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -704,7 +704,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -858,7 +858,7 @@ describe('utils', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -866,7 +866,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -979,7 +979,7 @@ describe('utils', () => { saved_id: 'some-id', severity: 'high', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -987,7 +987,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -1039,7 +1039,7 @@ describe('utils', () => { saved_id: 'some-id', severity: 'high', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -1047,7 +1047,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', @@ -1088,7 +1088,7 @@ describe('utils', () => { saved_id: 'some-id', severity: 'high', tags: [], - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -1096,7 +1096,7 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts index ae79b571b2b62..663ddf3a835a6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts @@ -110,7 +110,7 @@ export const transformAlertToRule = ( tags: transformTags(alert.tags), to: alert.params.to, type: alert.params.type, - threats: alert.params.threats, + threat: alert.params.threat, version: alert.params.version, status: ruleStatus?.attributes.status, status_date: ruleStatus?.attributes.statusDate, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts index 2a04c15b8cd9f..b536cfac05df3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts @@ -224,7 +224,7 @@ describe('add prepackaged rules schema', () => { ).toBeFalsy(); }); - test('You can send in an empty array to threats', () => { + test('You can send in an empty array to threat', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -241,12 +241,12 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], + threat: [], version: 1, }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version, threats] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version, s] does validate', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -259,7 +259,7 @@ describe('add prepackaged rules schema', () => { severity: 'low', interval: '5m', type: 'query', - threats: [ + threat: [ { framework: 'someFramework', tactic: { @@ -267,7 +267,7 @@ describe('add prepackaged rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -342,28 +342,7 @@ describe('add prepackaged rules schema', () => { ).toEqual(true); }); - test('immutable cannot be false', () => { - expect( - addPrepackagedRulesSchema.validate>({ - rule_id: 'rule-1', - risk_score: 50, - description: 'some description', - from: 'now-5m', - to: 'now', - index: ['index-1'], - immutable: false, - name: 'some-name', - severity: 'low', - interval: '5m', - type: 'query', - query: 'some-query', - language: 'kuery', - version: 1, - }).error.message - ).toEqual('child "immutable" fails because ["immutable" must be one of [true]]'); - }); - - test('immutable can be true', () => { + test('immutable cannot be set in a pre-packaged rule', () => { expect( addPrepackagedRulesSchema.validate>({ rule_id: 'rule-1', @@ -380,8 +359,8 @@ describe('add prepackaged rules schema', () => { query: 'some-query', language: 'kuery', version: 1, - }).error - ).toBeFalsy(); + }).error.message + ).toEqual('child "immutable" fails because ["immutable" is not allowed]'); }); test('defaults enabled to false', () => { @@ -765,11 +744,11 @@ describe('add prepackaged rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "framework"', () => { + test('You cannot send in an array of threat that are missing "framework"', () => { expect( addPrepackagedRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -786,14 +765,14 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -805,15 +784,15 @@ describe('add prepackaged rules schema', () => { version: 1, }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "tactic"', () => { + test('You cannot send in an array of threat that are missing "tactic"', () => { expect( addPrepackagedRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -830,10 +809,10 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -845,15 +824,15 @@ describe('add prepackaged rules schema', () => { version: 1, }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "techniques"', () => { + test('You cannot send in an array of threat that are missing "technique"', () => { expect( addPrepackagedRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -870,7 +849,7 @@ describe('add prepackaged rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -883,7 +862,7 @@ describe('add prepackaged rules schema', () => { version: 1, }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); @@ -937,54 +916,6 @@ describe('add prepackaged rules schema', () => { ); }); - test('You can optionally set the immutable to be true', () => { - expect( - addPrepackagedRulesSchema.validate>({ - rule_id: 'rule-1', - risk_score: 50, - description: 'some description', - from: 'now-5m', - to: 'now', - immutable: true, - index: ['index-1'], - name: 'some-name', - severity: 'low', - interval: '5m', - type: 'query', - references: ['index-1'], - query: 'some query', - language: 'kuery', - max_signals: 1, - version: 1, - }).error - ).toBeFalsy(); - }); - - test('You cannot set the immutable to be a number', () => { - expect( - addPrepackagedRulesSchema.validate< - Partial> & { immutable: number } - >({ - rule_id: 'rule-1', - risk_score: 50, - description: 'some description', - from: 'now-5m', - to: 'now', - immutable: 5, - index: ['index-1'], - name: 'some-name', - severity: 'low', - interval: '5m', - type: 'query', - references: ['index-1'], - query: 'some query', - language: 'kuery', - max_signals: 1, - version: 1, - }).error.message - ).toEqual('child "immutable" fails because ["immutable" must be a boolean]'); - }); - test('You cannot set the risk_score to 101', () => { expect( addPrepackagedRulesSchema.validate>({ @@ -993,7 +924,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1016,7 +946,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1039,7 +968,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1062,7 +990,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1085,7 +1012,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1113,7 +1039,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1137,7 +1062,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1183,7 +1107,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1207,7 +1130,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1232,7 +1154,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1257,7 +1178,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1282,7 +1202,6 @@ describe('add prepackaged rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1322,6 +1241,7 @@ describe('add prepackaged rules schema', () => { rule_id: 'rule-1', risk_score: 50, description: 'some description', + index: ['auditbeat-*'], name: 'some-name', severity: 'low', type: 'query', @@ -1340,6 +1260,7 @@ describe('add prepackaged rules schema', () => { rule_id: 'rule-1', risk_score: 50, description: 'some description', + index: ['auditbeat-*'], name: 'some-name', severity: 'junk', type: 'query', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts index d254f83243491..b62c480492c84 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts @@ -30,7 +30,7 @@ import { tags, to, type, - threats, + threat, references, version, } from './schemas'; @@ -42,9 +42,10 @@ import { DEFAULT_MAX_SIGNALS } from '../../../../../common/constants'; * Big differences between this schema and the createRulesSchema * - rule_id is required here * - output_index is not allowed (and instead the space index must be used) - * - immutable defaults to true instead of to false and if it is there can only be true + * - immutable is forbidden but defaults to true instead of to false and it can only ever be true * - enabled defaults to false instead of true * - version is a required field that must exist + * - index is a required field that must exist */ export const addPrepackagedRulesSchema = Joi.object({ description: description.required(), @@ -53,8 +54,11 @@ export const addPrepackagedRulesSchema = Joi.object({ filters, from: from.default('now-6m'), rule_id: rule_id.required(), - immutable: immutable.default(true).valid(true), - index, + immutable: immutable + .forbidden() + .default(true) + .valid(true), + index: index.required(), interval: interval.default('5m'), query: query.allow('').default(''), language: language.default('kuery'), @@ -73,7 +77,7 @@ export const addPrepackagedRulesSchema = Joi.object({ tags: tags.default([]), to: to.default('now'), type: type.required(), - threats: threats.default([]), + threat: threat.default([]), references: references.default([]), version: version.required(), }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts index f765f01300c58..d9605a265d28b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts @@ -239,7 +239,7 @@ describe('create rules schema', () => { ).toBeFalsy(); }); - test('You can send in an empty array to threats', () => { + test('You can send in an empty array to threat', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -257,12 +257,12 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], + threat: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threats] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threat] does validate', () => { expect( createRulesSchema.validate>({ rule_id: 'rule-1', @@ -276,7 +276,7 @@ describe('create rules schema', () => { severity: 'low', interval: '5m', type: 'query', - threats: [ + threat: [ { framework: 'someFramework', tactic: { @@ -284,7 +284,7 @@ describe('create rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -678,11 +678,11 @@ describe('create rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "framework"', () => { + test('You cannot send in an array of threat that are missing "framework"', () => { expect( createRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -700,14 +700,14 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -718,15 +718,15 @@ describe('create rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "tactic"', () => { + test('You cannot send in an array of threat that are missing "tactic"', () => { expect( createRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -744,10 +744,10 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -758,15 +758,15 @@ describe('create rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "techniques"', () => { + test('You cannot send in an array of threat that are missing "technique"', () => { expect( createRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -784,7 +784,7 @@ describe('create rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -796,7 +796,7 @@ describe('create rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts index 06dbb0cbb48f3..eb79e06c8efa6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts @@ -30,7 +30,7 @@ import { tags, to, type, - threats, + threat, references, version, } from './schemas'; @@ -65,7 +65,7 @@ export const createRulesSchema = Joi.object({ tags: tags.default([]), to: to.default('now'), type: type.required(), - threats: threats.default([]), + threat: threat.default([]), references: references.default([]), version: version.default(1), }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts index b19a91d18c3ff..c72e1b7ef2a63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts @@ -244,7 +244,7 @@ describe('import rules schema', () => { ).toBeFalsy(); }); - test('You can send in an empty array to threats', () => { + test('You can send in an empty array to threat', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -262,12 +262,12 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], + threat: [], }).error ).toBeFalsy(); }); - test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threats] does validate', () => { + test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threat] does validate', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -281,7 +281,7 @@ describe('import rules schema', () => { severity: 'low', interval: '5m', type: 'query', - threats: [ + threat: [ { framework: 'someFramework', tactic: { @@ -289,7 +289,7 @@ describe('import rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -685,11 +685,11 @@ describe('import rules schema', () => { ); }); - test('You cannot send in an array of threats that are missing "framework"', () => { + test('You cannot send in an array of threat that are missing "framework"', () => { expect( importRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -707,14 +707,14 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -725,15 +725,15 @@ describe('import rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "tactic"', () => { + test('You cannot send in an array of threat that are missing "tactic"', () => { expect( importRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -751,10 +751,10 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -765,15 +765,15 @@ describe('import rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('You cannot send in an array of threats that are missing "techniques"', () => { + test('You cannot send in an array of threat that are missing "technique"', () => { expect( importRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ rule_id: 'rule-1', @@ -791,7 +791,7 @@ describe('import rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -803,7 +803,7 @@ describe('import rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); @@ -857,7 +857,7 @@ describe('import rules schema', () => { ); }); - test('You can optionally set the immutable to be true', () => { + test('You can optionally set the immutable to be false', () => { expect( importRulesSchema.validate>({ rule_id: 'rule-1', @@ -866,7 +866,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -880,6 +880,29 @@ describe('import rules schema', () => { ).toBeFalsy(); }); + test('You cannnot set immutable to be true', () => { + expect( + importRulesSchema.validate>({ + rule_id: 'rule-1', + output_index: '.siem-signals', + risk_score: 50, + description: 'some description', + from: 'now-5m', + to: 'now', + immutable: true, + index: ['index-1'], + name: 'some-name', + severity: 'low', + interval: '5m', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + }).error.message + ).toEqual('child "immutable" fails because ["immutable" must be one of [false]]'); + }); + test('You cannot set the immutable to be a number', () => { expect( importRulesSchema.validate< @@ -914,7 +937,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -937,7 +960,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -960,7 +983,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -983,7 +1006,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1006,7 +1029,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1032,7 +1055,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', @@ -1056,7 +1079,7 @@ describe('import rules schema', () => { description: 'some description', from: 'now-5m', to: 'now', - immutable: true, + immutable: false, index: ['index-1'], name: 'some-name', severity: 'low', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts index 8516585a2c055..1254694645b9c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts @@ -36,7 +36,7 @@ import { tags, to, type, - threats, + threat, references, version, } from './schemas'; @@ -61,7 +61,7 @@ export const importRulesSchema = Joi.object({ filters, from: from.default('now-6m'), rule_id: rule_id.required(), - immutable: immutable.default(false), + immutable: immutable.default(false).valid(false), index, interval: interval.default('5m'), query: query.allow('').default(''), @@ -82,7 +82,7 @@ export const importRulesSchema = Joi.object({ tags: tags.default([]), to: to.default('now'), type: type.required(), - threats: threats.default([]), + threat: threat.default([]), references: references.default([]), version: version.default(1), created_at, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts index a027fcb96b599..9b311b1b58ea7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts @@ -87,11 +87,11 @@ export const threat_technique = Joi.object({ reference: threat_technique_reference.required(), }); export const threat_techniques = Joi.array().items(threat_technique.required()); -export const threats = Joi.array().items( +export const threat = Joi.array().items( Joi.object({ framework: threat_framework.required(), tactic: threat_tactic.required(), - techniques: threat_techniques.required(), + technique: threat_techniques.required(), }) ); export const created_at = Joi.string() diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts index 44b3b5b927be2..0dc9f3df3da1c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts @@ -670,7 +670,7 @@ describe('update rules schema', () => { ).toEqual('child "filters" fails because ["filters" must be an array]'); }); - test('threats is not defaulted to empty array on update', () => { + test('threat is not defaulted to empty array on update', () => { expect( updateRulesSchema.validate>({ id: 'rule-1', @@ -686,11 +686,11 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - }).value.threats + }).value.threat ).toBe(undefined); }); - test('threats is not defaulted to undefined on update with empty array', () => { + test('threat is not defaulted to undefined on update with empty array', () => { expect( updateRulesSchema.validate>({ id: 'rule-1', @@ -706,12 +706,12 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [], - }).value.threats + threat: [], + }).value.threat ).toMatchObject([]); }); - test('threats is valid when updated with all sub-objects', () => { + test('threat is valid when updated with all sub-objects', () => { const expected: ThreatParams[] = [ { framework: 'fake', @@ -720,7 +720,7 @@ describe('update rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -744,7 +744,7 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -752,7 +752,7 @@ describe('update rules schema', () => { name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -761,15 +761,15 @@ describe('update rules schema', () => { ], }, ], - }).value.threats + }).value.threat ).toMatchObject(expected); }); - test('threats is invalid when updated with missing property framework', () => { + test('threat is invalid when updated with missing property framework', () => { expect( updateRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ id: 'rule-1', @@ -785,14 +785,14 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef', }, - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -803,15 +803,15 @@ describe('update rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "framework" fails because ["framework" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "framework" fails because ["framework" is required]]]' ); }); - test('threats is invalid when updated with missing tactic sub-object', () => { + test('threat is invalid when updated with missing tactic sub-object', () => { expect( updateRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ id: 'rule-1', @@ -827,10 +827,10 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', - techniques: [ + technique: [ { id: 'techniqueId', name: 'techniqueName', @@ -841,15 +841,15 @@ describe('update rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "tactic" fails because ["tactic" is required]]]' ); }); - test('threats is invalid when updated with missing techniques', () => { + test('threat is invalid when updated with missing technique', () => { expect( updateRulesSchema.validate< - Partial> & { - threats: Array>>; + Partial> & { + threat: Array>>; } >({ id: 'rule-1', @@ -865,7 +865,7 @@ describe('update rules schema', () => { query: 'some query', language: 'kuery', max_signals: 1, - threats: [ + threat: [ { framework: 'fake', tactic: { @@ -877,7 +877,7 @@ describe('update rules schema', () => { ], }).error.message ).toEqual( - 'child "threats" fails because ["threats" at position 0 fails because [child "techniques" fails because ["techniques" is required]]]' + 'child "threat" fails because ["threat" at position 0 fails because [child "technique" fails because ["technique" is required]]]' ); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts index d363bfca98466..3aa8e007a8cbd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts @@ -30,7 +30,7 @@ import { tags, to, type, - threats, + threat, references, id, version, @@ -61,7 +61,7 @@ export const updateRulesSchema = Joi.object({ tags, to, type, - threats, + threat, references, version, }).xor('id', 'rule_id'); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts index 1d3801d80de11..d65f5f84c6d64 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts @@ -32,7 +32,7 @@ export const createRules = ({ name, severity, tags, - threats, + threat, to, type, references, @@ -63,7 +63,7 @@ export const createRules = ({ maxSignals, riskScore, severity, - threats, + threat, to, type, updatedAt: new Date().toISOString(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts index 48b7195c3b0bc..d4b7c252e3e38 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts @@ -65,7 +65,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -88,7 +88,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -130,7 +130,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -153,7 +153,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -194,7 +194,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -217,7 +217,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }, @@ -258,7 +258,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); @@ -282,7 +282,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); @@ -322,7 +322,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); @@ -348,7 +348,7 @@ describe('create_rules_stream_from_ndjson', () => { language: 'kuery', max_signals: 100, tags: [], - threats: [], + threat: [], references: [], version: 1, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts index eb9756af8fde1..ff48b9f5f7c33 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts @@ -23,7 +23,7 @@ describe('getExportAll', () => { const exports = await getExportAll(unsafeCast); expect(exports).toEqual({ rulesNdjson: - '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"techniques":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', + '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', exportDetails: '{"exported_count":1,"missing_rules":[],"missing_rules_count":0}\n', }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts index a861d80a66fd5..05e455efb3f22 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts @@ -25,7 +25,7 @@ describe('get_export_by_object_ids', () => { const exports = await getExportByObjectIds(unsafeCast, objects); expect(exports).toEqual({ rulesNdjson: - '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threats":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"techniques":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', + '{"created_at":"2019-12-13T16:40:33.400Z","updated_at":"2019-12-13T16:40:33.400Z","created_by":"elastic","description":"Detecting root and admin users","enabled":true,"false_positives":[],"filters":[{"query":{"match_phrase":{"host.name":"some-host"}}}],"from":"now-6m","id":"04128c15-0d1b-4716-a4c5-46997ac7f3bd","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*"],"interval":"5m","rule_id":"rule-1","language":"kuery","output_index":".siem-signals","max_signals":100,"risk_score":50,"name":"Detect Root/Admin Users","query":"user.name: root or user.name: admin","references":["http://www.example.com","https://ww.example.com"],"saved_id":"some-id","timeline_id":"some-timeline-id","timeline_title":"some-timeline-title","meta":{"someMeta":"someField"},"severity":"high","updated_by":"elastic","tags":[],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0040","name":"impact","reference":"https://attack.mitre.org/tactics/TA0040/"},"technique":[{"id":"T1499","name":"endpoint denial of service","reference":"https://attack.mitre.org/techniques/T1499/"}]}],"version":1}\n', exportDetails: '{"exported_count":1,"missing_rules":[],"missing_rules_count":0}\n', }); }); @@ -98,7 +98,7 @@ describe('get_export_by_object_ids', () => { tags: [], to: 'now', type: 'query', - threats: [ + threat: [ { framework: 'MITRE ATT&CK', tactic: { @@ -106,7 +106,7 @@ describe('get_export_by_object_ids', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - techniques: [ + technique: [ { id: 'T1499', name: 'endpoint denial of service', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts index 1fc81ad386c22..1f3bddf024442 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts @@ -40,7 +40,7 @@ export const installPrepackagedRules = ( tags, to, type, - threats, + threat, references, version, } = rule; @@ -72,7 +72,7 @@ export const installPrepackagedRules = ( tags, to, type, - threats, + threat, references, version, createdAt: new Date().toISOString(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index b9ca36e009ce5..da0613e1f6fa7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -1,28 +1,25 @@ { "description": "A POST request to web application returned a 403 response which indicates the web application declined to process the request because the action requested was disallowed.", - "enabled": false, "false_positives": [ "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: POST Request Declined", "query": "http.response.status_code:403 and http.request.method:post", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_403" - ], + "references": ["https://en.wikipedia.org/wiki/HTTP_403"], "risk_score": 50, "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", "severity": "low", - "tags": [ - "Elastic", - "apm" - ], - "to": "now", + "tags": ["Elastic", "apm"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index c33307b93592b..b0edfb25e9392 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -1,28 +1,25 @@ { "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method was not allowed for the resource.", - "enabled": false, "false_positives": [ "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: Unauthorized Method", "query": "http.response.status_code:405", - "references": [ - "https://en.wikipedia.org/wiki/HTTP_405" - ], + "references": ["https://en.wikipedia.org/wiki/HTTP_405"], "risk_score": 50, "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", "severity": "low", - "tags": [ - "Elastic", - "apm" - ], - "to": "now", + "tags": ["Elastic", "apm"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json index 6231200379732..3b4bcbe670921 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json @@ -1,17 +1,20 @@ { "description": "500 Response on Admin page", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "500 Response on Admin page", "query": "url.path:\"/admin/\" and http.response.status_code:500", "risk_score": 50, "rule_id": "054f669c-b065-492e-acd9-15e44fc42380", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index e5280d19f8e4a..6843f622bee8f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,20 +1,21 @@ { "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Adding the Hidden File Attribute with via attrib.exe", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", "risk_score": 25, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1158", "name": "Hidden Files and Directories", @@ -37,7 +38,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1158", "name": "Hidden Files and Directories", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 0fac9b17160e2..fcc105f2447e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,20 +1,21 @@ { "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Adobe Hijack Persistence", "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", "risk_score": 25, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1044", "name": "File System Permissions Weakness", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index 0506d03348913..feaa8451754a5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -1,20 +1,21 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Audio Capture via PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", "risk_score": 25, "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/" }, - "techniques": [ + "technique": [ { "id": "T1123", "name": "Audio Capture", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index 392eeb3980c9f..0365616e86faf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -1,20 +1,21 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Audio Capture via SoundRecorder", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", "risk_score": 25, "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/" }, - "techniques": [ + "technique": [ { "id": "T1123", "name": "Audio Capture", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index ecbc9a2dd46c4..e3d57d2b05503 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -1,20 +1,21 @@ { "description": "Identifies User Account Control (UAC) bypass via eventvwr. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Bypass UAC via Event Viewer", "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", "risk_score": 25, "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index 2518fda68ee0f..0d9346a7e1f88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -1,20 +1,21 @@ { "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Bypass UAC via CMSTP", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", "risk_score": 25, "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index c419dc080ec3c..3e99f1be6bf2e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -1,20 +1,21 @@ { "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Bypass UAC via SDCLT", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", "risk_score": 25, "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index bcf9b02a0210f..9d8d3bab1ace7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,20 +1,21 @@ { "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Clearing Windows Event Logs", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", "risk_score": 25, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1070", "name": "Indicator Removal on Host", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 5a9ba60597534..e69de058960d4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,20 +1,21 @@ { "description": "Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Delete Volume USN Journal with fsutil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", "risk_score": 25, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 240678d45238c..cbf51ffb7c20b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,20 +1,21 @@ { "description": "Identifies use of the wbadmin command to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Deleting Backup Catalogs with wbadmin", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", "risk_score": 25, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 9e5ccc73dc05e..5e8321c6777aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,20 +1,21 @@ { "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Direct Outbound SMB Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 50, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, - "techniques": [ + "technique": [ { "id": "T1210", "name": "Exploitation of Remote Services", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 40a8298561dbd..c9510913a151f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,20 +1,21 @@ { "description": "Identifies use of the netsh command to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Disable Windows Firewall Rules with Netsh", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", "risk_score": 50, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1089", "name": "Disabling Security Tools", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index 0ee8674e3304b..214ddfaf0feec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -1,20 +1,21 @@ { "description": "Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "DLL Search Order Hijack", "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", "risk_score": 50, "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", @@ -37,7 +38,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1088", "name": "Bypass User Account Control", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 3e912e076adec..e531a2d05a97e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,20 +1,21 @@ { "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Encoding or Decoding Files via CertUtil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", "risk_score": 50, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index 304fea1cfbb76..426d32b9b1e48 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,20 +1,21 @@ { "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Local Scheduled Task Commands", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", "risk_score": 25, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1053", "name": "Scheduled Task", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 7454b0fd452c6..71f94ecf91788 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,20 +1,21 @@ { "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Local Service Commands", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", "risk_score": 25, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1021", "name": "Remote Services", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index d4ac29a78c77d..162dfe717df55 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -1,20 +1,21 @@ { "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Modification of Boot Configuration", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", "risk_score": 75, "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", "severity": "high", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 61049bba92cce..296f6f0862374 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,20 +1,21 @@ { "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "MsBuild Making Network Connections", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 50, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index f2ed8449b9aaf..18c9e286c99ef 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,23 +1,22 @@ { "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Mshta Making Network Connections", "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", - "references": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ], + "references": ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"], "risk_score": 50, "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -25,7 +24,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1170", "name": "Mshta", @@ -34,7 +33,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index c86b7515173dc..b21b17cd89abf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -1,20 +1,21 @@ { "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "MsXsl Making Network Connections", "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1220", "name": "XSL Script Processing", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index e35843bc9b413..3e04dd4be292b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,20 +1,20 @@ { "description": "Identifies use of the SysInternals tool PsExec to execute commands on a remote host. This is an indication of lateral movement and may detect adversaries.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "PsExec Lateral Movement Command", "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", "risk_score": 50, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", - "tags": [ - "EIA" - ], - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 9d3b0361c9d29..ac66af50ecd1d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,20 +1,21 @@ { "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Suspicious MS Office Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 25, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index f445cb187c428..928144f0ecf0c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,20 +1,21 @@ { "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Suspicious MS Outlook Child Process", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 25, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 0b44ebd922c02..160da5b899042 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -1,20 +1,21 @@ { "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "EQL - Suspicious PDF Reader Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 75, "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", "severity": "high", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 687f5c0db2dab..268e8110c508d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,20 +1,21 @@ { "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "System Shells via Services", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", "risk_score": 50, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1050", "name": "New Service", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 4893f80e8b56c..7332cc7710347 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,20 +1,21 @@ { "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Unusual Network Connection via RunDLL32", "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 25, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1085", "name": "Rundll32", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 29e3c998ebe02..d13d23a9354f7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,20 +1,21 @@ { "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Unusual Parent-Child Relationship ", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", "risk_score": 50, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, - "techniques": [ + "technique": [ { "id": "T1093", "name": "Process Hollowing", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index ce34e4a352c88..138ecbb820513 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,20 +1,21 @@ { "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Unusual Process Network Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", "risk_score": 25, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1127", "name": "Trusted Developer Utilities", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 5b94babaf8add..9f3ecdb7a7f57 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,20 +1,21 @@ { "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "User Account Creation", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", "risk_score": 50, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1136", "name": "Create Account", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index f0b770985c716..1a0e0f8dcb2ad 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -1,20 +1,21 @@ { "description": "Identifies attempts to add a user to an administrative group with the \"net.exe\" command. This is sometimes done by attackers to increase access of a compromised account or create new account.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "User Added to Administrator Group", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", "risk_score": 50, "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", "severity": "medium", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1098", "name": "Account Manipulation", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 8f23d398a48a7..794fec38b380e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,20 +1,21 @@ { "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Volume Shadow Copy Deletion via VssAdmin", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", "risk_score": 75, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "high", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1490", "name": "Inhibit System Recovery", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index fc18b2c0f5d70..a3e94b08275be 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,20 +1,21 @@ { "description": "Identifies use of wmic for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Volume Shadow Copy Deletion via WMIC", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", "risk_score": 75, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "techniques": [ + "technique": [ { "id": "T1107", "name": "File Deletion", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index ff3d660704eeb..868d84ef9ebce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,20 +1,21 @@ { "description": "Identifies a PowerShell process launched by either CScript or WScript. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", "risk_score": 50, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, - "techniques": [ + "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index 5a9bda9e8ddfa..5c2804507cbd2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -1,20 +1,21 @@ { "description": "Identifies use of wmic.exe to run commands on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "WMIC Command Lateral Movement", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", + "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", "risk_score": 25, "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", - "tags": [ - "EIA" - ], - "threats": [ + "tags": ["Elastic"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, - "techniques": [ + "technique": [ { "id": "T1047", "name": "Windows Management Instrumentation", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index 1557f9ff4bb30..d0a07ce2d0365 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,27 +1,25 @@ { "description": "Hping ran on a Linux host. Hping is FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications including scanning and firewall auditing.", - "enabled": false, "false_positives": [ "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Hping Process Activity", "query": "process.name: hping and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Hping" - ], + "references": ["https://en.wikipedia.org/wiki/Hping"], "risk_score": 75, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "high", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index 83c47d0d5c970..1a116735e98f3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,27 +1,25 @@ { "description": "Iodine is a tool for tunneling internet protocol version 4 (IPV4) trafic over the DNS protocol in order to circumvent firewalls, network security groups or network access lists while evading detection.", - "enabled": false, "false_positives": [ "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Potential DNS Tunneling via Iodine", "query": "process.name: (iodine or iodined) and event.action:executed", - "references": [ - "https://code.kryo.se/iodine/" - ], + "references": ["https://code.kryo.se/iodine/"], "risk_score": 75, "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "high", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 6a448caac89e4..1529862571381 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,16 +1,9 @@ { "description": "Identifies loadable kernel module errors, often indicative of potential persistence attempts.", - "enabled": false, "false_positives": [ "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." ], - "from": "now-6m", - "immutable": true, - "index": [ - "auditbeat-*" - ], - "interval": "5m", - "language": "kuery", + "index": ["auditbeat-*"], "max_signals": 33, "name": "Persistence via Kernel Module Modification", "query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed", @@ -20,11 +13,8 @@ "risk_score": 25, "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", - "tags": [ - "EIA", - "auditbeat" - ], - "threats": [ + "tags": ["Elastic", "auditbeat"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -32,7 +22,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/techniques/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1215", "name": "Kernel Modules and Extensions", @@ -41,7 +31,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json index 8e53ee96fd8f3..187fc6379ef25 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json @@ -1,13 +1,16 @@ { "description": "ld.so runs in a privlieged context and can be used to escape restrictive environments by spawning a shell in order to elevate privlieges or move laterally.", - "enabled": false, "false_positives": [ "ld.so is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or administrators. Use of ld.so by non-engineers or ordinary users is uncommon." ], - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Ld.so Process Activity", @@ -15,11 +18,7 @@ "risk_score": 25, "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", "severity": "low", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json index 77953240c2185..8061ff72e130b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json @@ -1,17 +1,20 @@ { "description": "Linux lzop activity - possible @JulianRunnels", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux lzop activity", "query": "process.name:lzop and event.action:executed", "risk_score": 50, "rule_id": "d7359214-54a4-4572-9e51-ebf79cda9b04", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index ea5a6287a8d7c..1fe4802c6cf79 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,27 +1,25 @@ { "description": "The Linux mknod program is sometimes used in the command paylod of remote command injection (RCI) and other exploits to export a command shell when the traditional version of netcat is not available to the payload.", - "enabled": false, "false_positives": [ "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Mknod Process Activity", "query": "process.name: mknod and event.action:executed", - "references": [ - "https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem" - ], + "references": ["https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem"], "risk_score": 25, "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", "severity": "low", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index 60943512f45ae..6d57d0cbab375 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,12 +1,16 @@ { "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltation. ", - "enabled": false, "false_positives": [ "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools and frameworks." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Netcat Network Activity", @@ -19,11 +23,7 @@ "risk_score": 50, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "medium", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json index d04f6610f450d..f10c940f8bb93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json @@ -1,17 +1,20 @@ { "description": "Linux Network - Anomalous Process Using HTTP/S Ports", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux Network - Anomalous Process Using HTTP/S Ports", "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", "risk_score": 50, "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index f10d3cf5470e4..b2284eea3f309 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,27 +1,25 @@ { "description": "Nmap ran on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks and identify listneing services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", - "enabled": false, "false_positives": [ "Security testing tools and frameworks may run nmap in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Nmap Process Activity", "query": "process.name: nmap", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], + "references": ["https://en.wikipedia.org/wiki/Nmap"], "risk_score": 25, "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", "severity": "low", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index ad25602c86897..4d37f32fb3ca0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,27 +1,25 @@ { "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications including denial of service testing.", - "enabled": false, "false_positives": [ "Some normal use of this command may originate from security engineers and network or server administrators but this is usually not routine or unannounced. Use of nping by non-engineers or ordinary users is uncommon." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Nping Process Activity", "query": "process.name: nping and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Nmap" - ], + "references": ["https://en.wikipedia.org/wiki/Nmap"], "risk_score": 50, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 7f1d2860027a8..d38cead306cd4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,12 +1,16 @@ { "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", - "enabled": false, "false_positives": [ "Build systems like Jenkins may start processes in the /tmp directory. These can be exempted by name or by username." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Unusual Process Execution - Temp", @@ -14,11 +18,7 @@ "risk_score": 50, "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", "severity": "medium", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json index 47ae28cf8ea4c..6f99312c04a00 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json @@ -1,16 +1,20 @@ { "description": "Linux: Ptrace Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux: Ptrace Activity", "query": "process.name: ptrace and event.action:executed", "risk_score": 50, "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json index d4924cab7048f..148468e959899 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json @@ -1,16 +1,20 @@ { "description": "Linux: Rawshark Activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux: Rawshark Activity", "query": "process.name: rawshark and event.action:executed", "risk_score": 50, "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index ed8bc30afbfa5..1711f45e770ed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,31 +1,19 @@ { "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", - "enabled": false, "false_positives": [ "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." ], - "filters": [], - "from": "now-6m", - "immutable": true, - "index": [ - "auditbeat-*" - ], - "interval": "5m", + "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, "name": "Potential Shell via Web Server", "query": "process.name: bash and (user.name: apache or www) and event.action:executed", - "references": [ - "https://pentestlab.blog/tag/web-shell/" - ], + "references": ["https://pentestlab.blog/tag/web-shell/"], "risk_score": 50, "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "severity": "low", - "tags": [ - "Elastic", - "linux" - ], - "threats": [ + "tags": ["Elastic", "linux"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -33,7 +21,7 @@ "name": "Persistence", "reference": "https://attack.mitre.org/techniques/TA0003/" }, - "techniques": [ + "technique": [ { "id": "T1100", "name": "Web Shell", @@ -42,7 +30,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index c920bfb7d9a15..364a2bee65c23 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -1,12 +1,16 @@ { "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. ", - "enabled": false, "false_positives": [ "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Socat Process Activity", @@ -17,11 +21,7 @@ "risk_score": 50, "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", "severity": "medium", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json index d3b71573e03e3..3447689f08d62 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -1,28 +1,26 @@ { "description": "An SSH processes ran with the `-R` flag which can be used to forward a port to a remote destination for purposes of pivoting and persistence. This technique often used to create encrypted tunnels and circumvent firewalls, security groups or network access lists.", - "enabled": false, "false_positives": [ "Some normal use of this command may originate from usage by engineers as an alternative or ad-hoc remote access solution. Use of this command by non-administrative users is uncommon." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Potential Lateral Movement via SSH Port Forwarding", "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", - "references": [ - "https://www.ssh.com/ssh/tunneling", - "https://www.ssh.com/ssh/tunneling/example" - ], + "references": ["https://www.ssh.com/ssh/tunneling", "https://www.ssh.com/ssh/tunneling/example"], "risk_score": 50, "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", "severity": "medium", - "tags": [ - "Elastic", - "linux" - ], - "threats": [ + "tags": ["Elastic", "linux"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -30,7 +28,7 @@ "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/" }, - "techniques": [ + "technique": [ { "id": "T1184", "name": "SSH Hijacking", @@ -39,7 +37,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 29b4ae17f3108..b0c2b4ecd07c2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,27 +1,25 @@ { "description": "Strace runs in a privlieged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privlieges or move laterally.", - "enabled": false, "false_positives": [ "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Strace Process Activity", "query": "process.name: strace and event.action:executed", - "references": [ - "https://en.wikipedia.org/wiki/Strace" - ], + "references": ["https://en.wikipedia.org/wiki/Strace"], "risk_score": 25, "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", "severity": "low", - "tags": [ - "Elastic", - "linux" - ], - "to": "now", + "tags": ["Elastic", "linux"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 8a3b6f29bb8bf..594aee0eca708 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,12 +1,16 @@ { "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet 'sniffing' tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", - "enabled": false, "false_positives": [ "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." ], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Network Sniffing via Tcpdump", @@ -14,11 +18,8 @@ "risk_score": 25, "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", "severity": "low", - "tags": [ - "Elastic", - "linux" - ], - "threats": [ + "tags": ["Elastic", "linux"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -26,7 +27,7 @@ "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/" }, - "techniques": [ + "technique": [ { "id": "T1040", "name": "Network Sniffing", @@ -41,7 +42,7 @@ "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, - "techniques": [ + "technique": [ { "id": "T1040", "name": "Network Sniffing", @@ -50,7 +51,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json index 876a3fef7aa09..311e2b5779602 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json @@ -1,16 +1,20 @@ { "description": "Linux: Web Download", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Linux: Web Download", "query": "process.name: (curl or wget) and event.action:executed", "risk_score": 50, "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index eecd79c0bca00..a370a44d4eb46 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,15 +1,6 @@ { "description": "The 'whoami' command was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privlieged access.", - "enabled": false, - "false_positives": [ - "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." - ], - "from": "now-6m", - "immutable": true, - "index": [ - "auditbeat-*" - ], - "interval": "5m", + "index": ["auditbeat-*"], "language": "kuery", "max_signals": 33, "name": "User Discovery via Whoami", @@ -17,11 +8,8 @@ "risk_score": 25, "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", "severity": "low", - "tags": [ - "Elastic", - "linux" - ], - "threats": [ + "tags": ["Elastic", "linux"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -29,7 +17,7 @@ "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/" }, - "techniques": [ + "technique": [ { "id": "T1033", "name": "System Owner/User Discovery", @@ -38,7 +26,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 3b080df89c335..5c1d64e294159 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,13 +1,16 @@ { "description": "This signal detects DNS network traffic logs that indicate an internal network\nclient reaching out to infrastructure on the Internet directly to answer name\nqueries. This activity could be a default or misconfiguration. This impacts\nyour organization's ability to provide enterprise monitoring and logging of DNS\nand opens your network to a variety of abuses or malicious communications.\n", - "enabled": false, "false_positives": [ "You should apply a filter to this rule to exclude your enterprise nameservers that are expected to reach out to the Internet" ], - "filters": [], - "from": "now-6m", - "interval": "5m", - "language": "kuery", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "name": "DNS Activity to the Internet", "query": "destination.port:53 and (\n network.direction: outbound or (\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\\:\\:fb or 255.255.255.255 )\n )\n)\n", "references": [ @@ -17,11 +20,8 @@ "risk_score": 50, "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -29,7 +29,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -38,7 +38,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index e88f20e39adec..62064db7e1443 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects events that may indicate the use of FTP network connections.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980's. It can be an efficient and normal procedure on your network to send and\nreceive files. Because it is common and efficient, adversaries will also often\nuse this protocol to exfiltrate data from your network or download new tools.\nAdditionally, FTP is a plaintext protocol which may expose your username and\npassword, if intercepted.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "FTP (File Transfer Protocol) Activity to the Internet", "query": "network.transport: tcp and destination.port: (20 or 21) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -37,7 +38,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 183caff8939cd..4590fdf39d143 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects events that use common ports for IRC to the Internet. IRC\nis a common protocol that can be used chat and file transfer. This protocol\nalso makes a good candidate for remote control of malware and data transfer in\nand out of a network.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", "query": "network.transport: tcp and destination.port:(6667 or 6697) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -37,7 +38,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index 110d940743e94..e74bed3463993 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,9 +1,13 @@ { "description": "This signal detects events that could be describing IPSEC NAT Traversal traffic.\nIPSEC is a VPN technology that allows one system to talk to another using\nencrypted tunnels. NAT Traversal enables these tunnels to communicate over\nthe Internet where one of the sides is behind a NAT router gateway. This may\nbe common on your network, but this technique is also used by threat actors\nto avoid detection.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "IPSEC NAT Traversal Port Activity", "query": "network.transport: udp and destination.port: 4500", @@ -11,7 +15,7 @@ "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", "tags": ["Elastic", "network"], - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -19,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -28,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index 6efbd2494346e..e05e83ff0a1ee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,9 +1,13 @@ { "description": "This signal detects events that may indicate use of SMTP on TCP port 26. This\nport is commonly used by several popular mail transfer agents to deconflict\nwith the default SMTP port 25. This port has also been used by a malware family\ncalled BadPatch for command and control of Windows systems.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SMTP on Port 26/TCP", "query": "network.transport: tcp and destination.port: 26", @@ -14,11 +18,8 @@ "risk_score": 25, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -26,7 +27,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -41,7 +42,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", @@ -50,7 +51,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json index 218109b73221d..73a634a3a9f42 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json @@ -1,17 +1,20 @@ { "description": "Network - Port 8000 Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Network - Port 8000 Activity", "query": "destination.port:8000", "risk_score": 50, "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 96c04167dfeca..e193ab83d89fd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you are\nrunning software like this on the Internet, you should consider placing it behind\na reverse proxy.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "TCP Port 8000 Activity to the Internet", "query": "network.transport: tcp and destination.port: 8000 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index 61b10ab0f2404..7b527dbc09a44 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,20 +1,20 @@ { "description": "This signal detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "PPTP (Point to Point Tunneling Protocol) Activity", "query": "network.transport: tcp and destination.port: 1723", "risk_score": 25, "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "to": "now", + "tags": ["Elastic", "network"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index 60ba2d0a93b89..50f521ea91e2b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects events that may describe network events of proxy use to the\nInternet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically\nenvironments will use an internal IP address for a proxy server. It can also\nbe used to circumvent network controls and detection mechanisms.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Proxy Port Activity to the Internet", "query": "network.transport: tcp and destination.port: (3128 or 8080 or 1080) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index e03694be5c9a3..edd4aa456974d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 50, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index bfa402624f05a..c9f3f95ad1e07 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RDP (Remote Desktop Protocol) to the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 50, "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -37,7 +38,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 5ae41db83fa58..9f5a60f1743d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RPC (Remote Procedure Call) from the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 50, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 9e0b91ee16d25..b860158ef93d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "RPC (Remote Procedure Call) to the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 50, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index e1a2b98aae4b2..fa1f1aba66e83 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targetted and exploited by threat actors as an initial access\nor backdoor vector or for data exfiltration.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "network.transport: tcp and destination.port: (139 or 445) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 50, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -37,7 +38,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index d763650243bf8..85c8b3f05166c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects events that may describe SMTP traffic from internal\nhosts to a host across the Internet. In an enterprise network, there is typically\na dedicate host that is internal that could perform this function. It is also\nfrequently abused by threat actors for command and control or data exfiltration.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SMTP to the Internet", "query": "network.transport: tcp and destination.port: (25 or 465 or 587) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 50, "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -37,7 +38,7 @@ "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Exfiltration Over Alternative Protocol", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index c52730658f7d2..e0998029081d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,20 +1,20 @@ { "description": "This signal detects events that may describe database traffic\n(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases\nshould almost never be directly exposed to the Internet, as they are\nfrequently targeted by threat actors to gain initial access to network resources.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SQL Traffic to the Internet", "query": "network.transport: tcp and destination.port: (1433 or 1521 or 3336 or 5432) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 50, "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "to": "now", + "tags": ["Elastic", "network"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index fb28fdcaca3a5..2428909491584 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SSH (Secure Shell) from the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -37,7 +38,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index 4ac8993cae0a8..cf77f9363f525 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "SSH (Secure Shell) to the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 64310e378d5f1..a9a364b1b14bd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embeded\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targetted and exploited by threat actors as an\ninitial access or backdoor vector. As a plaintext protocol, it may also expose\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Telnet Port Activity", "query": "network.transport: tcp and destination.port: 23", "risk_score": 50, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -37,7 +38,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 3bb70f8bfe684..811a81c0e6754 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's indentity and avoid detection.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Tor Activity to the Internet", "query": "network.transport: tcp and destination.port: (9001 or 9030) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 01519fa40c820..d46ee76ba72b2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "VNC (Virtual Network Computing) from the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", @@ -37,7 +38,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -46,7 +47,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 94afe98f7807a..d820cedc335ab 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,20 +1,21 @@ { "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", - "enabled": false, - "filters": [], - "from": "now-6m", - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "VNC (Virtual Network Computing) to the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 25, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "low", - "tags": [ - "Elastic", - "network" - ], - "threats": [ + "tags": ["Elastic", "network"], + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -22,7 +23,7 @@ "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, - "techniques": [ + "technique": [ { "id": "T1043", "name": "Commonly Used Port", @@ -31,7 +32,6 @@ ] } ], - "to": "now", "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index b819e61cda7ec..9d787d3ab738f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,9 +1,16 @@ { "description": "A request to a web application server contained no identifying user agent string.", - "enabled": false, "false_positives": [ "Some normal applications and scripts may contain no user agent. Most legitmate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "filters": [ { "$state": { @@ -22,24 +29,15 @@ } } ], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: No User Agent", "query": "url.path: *", - "references": [ - "https://en.wikipedia.org/wiki/User_agent" - ], + "references": ["https://en.wikipedia.org/wiki/User_agent"], "risk_score": 50, "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", "severity": "low", - "tags": [ - "Elastic", - "apm" - ], - "to": "now", + "tags": ["Elastic", "apm"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index cb9413b9c108e..c92b801995837 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,27 +1,24 @@ { "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11 which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. ", - "enabled": false, "false_positives": [ "This signal does not indicate that a SQL injection attack occured, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." ], - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Web Application Suspicious Activity: sqlmap User Agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", - "references": [ - "http://sqlmap.org/" - ], + "references": ["http://sqlmap.org/"], "risk_score": 50, "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", "severity": "low", - "tags": [ - "Elastic", - "apm" - ], - "to": "now", + "tags": ["Elastic", "apm"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json index 301954fc58745..91abe1368b011 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json index 22429df353679..f3e62405d6e18 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json @@ -1,17 +1,20 @@ { "description": "Windows Burp CE activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Burp CE activity", "query": "process.name:BurpSuiteCommunity.exe", "risk_score": 50, "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json index 6cf9a375586ba..451a1ad4942de 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Certutil Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Certutil Connecting to the Internet", "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index c404bf7a05c85..6a2a9213a94a9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Command Prompt Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Command Prompt Connecting to the Internet", "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json index 1bcad8ae016ef..92edd71a665dd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json @@ -1,16 +1,20 @@ { "description": "Command shell started by Internet Explorer", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Command shell started by Internet Explorer", "query": "process.parent.name:iexplore.exe and process.name:cmd.exe", "risk_score": 50, "rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index faa9694f658ff..663b2485fab93 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -1,16 +1,20 @@ { "description": "Command shell started by Powershell", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Command shell started by Powershell", "query": "process.parent.name:powershell.exe and process.name:cmd.exe", "risk_score": 50, "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index aa371fea3f01d..73ab27a131e3d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -1,16 +1,20 @@ { "description": "Command shell started by Svchost", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Command shell started by Svchost", "query": "process.parent.name:svchost.exe and process.name:cmd.exe", "risk_score": 50, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json index dec76deb3e888..9516b80412582 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json @@ -1,17 +1,20 @@ { "description": "Windows Credential Dumping Commands", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Credential Dumping Commands", "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", "risk_score": 50, "rule_id": "66885745-ea38-432c-9edb-599b943948d4", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json index de3fc49fefa37..06a9de8f20720 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json @@ -1,17 +1,20 @@ { "description": "Windows Credential Dumping via ImageLoad", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Credential Dumping via ImageLoad", "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", "risk_score": 50, "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json index 016f49e22a8f8..a19646d2f83cf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json @@ -1,17 +1,20 @@ { "description": "Windows Credential Dumping via Registry Save", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Credential Dumping via Registry Save", "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", "risk_score": 50, "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json index cf1334eda6778..9be27cbec023f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json @@ -1,17 +1,20 @@ { "description": "Windows Data Compression Using Powershell", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Data Compression Using Powershell", "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", "risk_score": 50, "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json index f718e5effe8ae..a4126a9b45ec9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json @@ -1,17 +1,20 @@ { "description": "Windows Defense Evasion - Decoding Using Certutil", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense Evasion - Decoding Using Certutil", "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", "risk_score": 50, "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json index 844a3fc2ac9ec..edba96cbcc37b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json @@ -1,17 +1,20 @@ { "description": "Windows Defense Evasion or Persistence via Hidden Files", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense Evasion or Persistence via Hidden Files", "query": "event.code:1 and process.name:attrib.exe and (process.args:\"+h\" or process.args:\"+s\")", "risk_score": 50, "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index b98b0e3f8d0aa..56c2a3ecd7eaf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,17 +1,20 @@ { "description": "Windows Defense evasion via Filter Manager", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense evasion via Filter Manager", "query": "event.code:1 and process.name:fltmc.exe", "risk_score": 50, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json index 2d37fedd30480..2f25c7282a87d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json @@ -1,17 +1,20 @@ { "description": "Windows Defense Evasion via Windows Event Log Tools", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Defense Evasion via Windows Event Log Tools", "query": "event.code:1 and process.name:wevtutil.exe", "risk_score": 50, "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 027556b7f2456..079d33bf0f676 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,17 +1,20 @@ { "description": "Windows Execution via Compiled HTML File", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Compiled HTML File", "query": "event.code:1 and process.name:hh.exe", "risk_score": 50, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json index 30d2f4e3c8936..9c8a4f4b47dce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json @@ -1,17 +1,20 @@ { "description": "Windows Execution via Connection Manager", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Connection Manager", "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", "risk_score": 50, "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json index aa67d2aebe64b..d986ccbb865f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json @@ -1,17 +1,20 @@ { "description": "Windows Execution via Microsoft HTML Application (HTA)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Microsoft HTML Application (HTA)", "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", "risk_score": 50, "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index 20e0eba610e95..26e99cbb59e48 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,17 +1,20 @@ { "description": "Windows Execution via .NET COM Assemblies", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via .NET COM Assemblies", "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", "risk_score": 50, "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index 9371ec67fcec5..06d4a075c4e6b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -1,17 +1,20 @@ { "description": "Windows Execution via Regsvr32", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Regsvr32", "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", "risk_score": 50, "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index 3153c0d38d2fd..bc3ebf38181a0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,17 +1,20 @@ { "description": "Windows Execution via Trusted Developer Utilities", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Execution via Trusted Developer Utilities", "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", "risk_score": 50, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 4e39ab96840df..cec9fe4a4aebe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: HTML Help executable Program Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: HTML Help executable Program Connecting to the Internet", "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json index d00f671c7b606..3e80b58377af6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json @@ -1,6 +1,13 @@ { "description": "Windows image load from a temp directory", - "enabled": false, + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "filters": [ { "$state": { @@ -28,16 +35,13 @@ } } ], - "from": "now-6m", - "immutable": true, - "interval": "5m", "language": "kuery", "name": "Windows image load from a temp directory", "query": "file.path:Temp", "risk_score": 50, "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json index cbde84a5fc858..a7f22358a11d9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json @@ -1,17 +1,20 @@ { "description": "Windows Indirect Command Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Indirect Command Execution", "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", "risk_score": 50, "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json index e60c57ebc489a..8aae9dc83a1cd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json @@ -1,17 +1,20 @@ { "description": "Windows Iodine activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Iodine activity", "query": "event.code: 1 and process.name:iodine.exe or process.name:iodined.exe", "risk_score": 50, "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json index 378b23825dc82..da525a8573264 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json @@ -1,17 +1,20 @@ { "description": "Windows Management Instrumentation (WMI) Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Management Instrumentation (WMI) Execution", "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", "risk_score": 50, "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json index 8b5dffeec67af..2f7a8dbee7c80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json index 1016d2c7af5f2..64641bb539cb9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json @@ -1,16 +1,20 @@ { "description": "Windows Mimikatz activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Mimikatz activity", "query": "event.code: 1 and process.name:mimikatz.exe", "risk_score": 50, "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index e6d606384d454..bb08cd4023e6a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Misc LOLBin Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Misc LOLBin Connecting to the Internet", "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json index f8689bb314857..fce37db4fae3d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json @@ -1,16 +1,20 @@ { "description": "Windows net command activity by the SYSTEM account", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows net command activity by the SYSTEM account", "query": "process.name: (net.exe or net1.exe) and user.name:SYSTEM", "risk_score": 50, "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json index 6b895f30fd5c4..555bb4afb0c10 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json @@ -1,16 +1,20 @@ { "description": "Windows net user command activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows net user command activity", "query": "process.name:net.exe and process.args:user and event.code:1", "risk_score": 50, "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json index 8b105514ec798..288bc6dd2375b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json @@ -1,16 +1,20 @@ { "description": "Windows Netcat activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Netcat activity", "query": "process.name:ncat.exe and event.code:1", "risk_score": 50, "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json index c16c91d9637e5..a533cd36ffdcf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json @@ -1,16 +1,20 @@ { "description": "Windows Netcat network activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Netcat network activity", "query": "process.name:ncat.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", "risk_score": 50, "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json index a22b12d242414..173e5191d9e65 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json @@ -1,17 +1,20 @@ { "description": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", "risk_score": 50, "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json index a0c3b5be64d1c..dc231e5edce1e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json @@ -1,16 +1,20 @@ { "description": "Windows nmap activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows nmap activity", "query": "process.name:nmap.exe and event.code:1", "risk_score": 50, "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json index 0195367b6f712..ccd49169e6497 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json @@ -1,16 +1,20 @@ { "description": "Windows nmap scan activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows nmap scan activity", "query": "process.name:nmap.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", "risk_score": 50, "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json index 421cadfa8a63d..f7a331ca01474 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json @@ -1,17 +1,20 @@ { "description": "Windows Payload Obfuscation via Certutil", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Payload Obfuscation via Certutil", "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", "risk_score": 50, "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json index 47de4ba9ff6e7..379cab0f07438 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json @@ -1,17 +1,20 @@ { "description": "Windows Persistence or Priv Escalation via Hooking", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence or Priv Escalation via Hooking", "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", "risk_score": 50, "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index c6e558a3be260..ca5daf772a22e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,17 +1,20 @@ { "description": "Windows Persistence via Application Shimming", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via Application Shimming", "query": "event.code:1 and process.name:sdbinst.exe", "risk_score": 50, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json index b6d97628f98ec..4c6515f33fad0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json @@ -1,17 +1,20 @@ { "description": "Windows Persistence via BITS Jobs", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via BITS Jobs", "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", "risk_score": 50, "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json index 782ce7a6eec92..01b56a1ecd1e0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json @@ -1,17 +1,20 @@ { "description": "Windows Persistence via Modification of Existing Service", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via Modification of Existing Service", "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", "risk_score": 50, "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json index 19e6ac51158eb..50b31aa7033eb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json @@ -1,17 +1,20 @@ { "description": "Windows Persistence via Netshell Helper DLL", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Persistence via Netshell Helper DLL", "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", "risk_score": 50, "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json index 50e3d6e0f3874..5198f85b999ac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Powershell Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Powershell Connecting to the Internet", "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index 96faa2a88e3a6..f24460373f55d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,17 +1,20 @@ { "description": "Windows Priv Escalation via Accessibility Features", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Priv Escalation via Accessibility Features", "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", "risk_score": 50, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 572a9ede23e2a..fd2bfcf216bf3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,17 +1,20 @@ { "description": "Windows Process Discovery via Tasklist Command", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Process Discovery via Tasklist Command", "query": "event.code:1 and process.name:tasklist.exe", "risk_score": 50, "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json index 9e29c82e48872..1e14de81b7cb2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json @@ -1,17 +1,20 @@ { "description": "Process Execution via WMI", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Process Execution via WMI", "query": "process.name:scrcons.exe", "risk_score": 50, "rule_id": "7e6cd4b9-6346-4683-b3e6-6a3e66f3208f", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json index e96c223765cbd..973a7df57f712 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json @@ -1,16 +1,20 @@ { "description": "Process started by Acrobat reader - possible payload", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Process started by Acrobat reader - possible payload", "query": "process.parent.name:AcroRd32.exe and event.code:1", "risk_score": 50, "rule_id": "b6422896-b6e3-45c3-9d9e-4eccb2a25270", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json index c2e185cd0c7eb..cb7b234c21f8c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json @@ -1,16 +1,20 @@ { "description": "Process started by MS Office program - possible payload", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Process started by MS Office program - possible payload", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE and event.code:1", "risk_score": 50, "rule_id": "838dcec6-ce9a-4cdd-9ca8-f6512cf6d559", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json index 6902807cb51d1..c684be0732064 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json @@ -1,16 +1,20 @@ { "description": "Windows process started by the Java runtime", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows process started by the Java runtime", "query": "process.parent.name:javaw.exe and event.code:1", "risk_score": 50, "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json index 280f061ed7785..e4c91b6f89cd4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json @@ -1,17 +1,20 @@ { "description": "PSexec activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "PSexec activity", "query": "process.name:PsExec.exe or process.name:PsExec64.exe", "risk_score": 50, "rule_id": "3e61ab8b-0f39-4d2e-ab64-332f0d0b3ad7", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index 563553a24a3e7..a106eda988e94 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Register Server Program Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Register Server Program Connecting to the Internet", "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json index d9bc00cfbd336..49642d271d4ea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json @@ -1,17 +1,20 @@ { "description": "Windows Registry Query, Local", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Registry Query, Local", "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", "risk_score": 50, "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json index ddf8ff569e35f..884deb7645a67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json @@ -1,17 +1,20 @@ { "description": "Windows Registry Query, Network", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Registry Query, Network", "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", "risk_score": 50, "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json index 0e67b777ac6dc..08d96ad741502 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json @@ -1,17 +1,20 @@ { "description": "Windows Remote Management Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Remote Management Execution", "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", "risk_score": 50, "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json index 58fd2df8f15ef..56f5b71ceb510 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json @@ -1,17 +1,20 @@ { "description": "Windows Scheduled Task Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Scheduled Task Activity", "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", "risk_score": 50, "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json index 41559425538ab..a700ac0a48bc2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json @@ -1,17 +1,20 @@ { "description": "Windows: Script Interpreter Connecting to the Internet", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows: Script Interpreter Connecting to the Internet", "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index 64185c784e028..1dc62c7b5db42 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -1,17 +1,20 @@ { "description": "Windows Signed Binary Proxy Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Signed Binary Proxy Execution", "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", "risk_score": 50, "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json index b1146f07612f6..717d99ee7901c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json @@ -1,17 +1,20 @@ { "description": "Windows Signed Binary Proxy Execution Download", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Signed Binary Proxy Execution Download", "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", "risk_score": 50, "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json index c5a7db434ac38..82733cbb6b21c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -1,16 +1,20 @@ { "description": "Suspicious process started by a script", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Suspicious process started by a script", "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1", "risk_score": 50, "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index b13a20518893c..768cd65c5e4f5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,16 +1,20 @@ { "description": "Windows whoami command activity", - "enabled": false, - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows whoami command activity", "query": "process.name:whoami.exe and event.code:1", "risk_score": 50, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json index 8fc548b694b02..4f33e95cfe2e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json @@ -1,17 +1,20 @@ { "description": "WinDump activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "WinDump activity", "query": "process.name:WinDump.exe", "risk_score": 50, "rule_id": "a342cfcb-8420-46a4-8d85-53edc631e0d6", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json index 30ee18fe53557..72db4aed03c88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json @@ -1,17 +1,20 @@ { "description": "Windows Wireshark activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", + "index": [ + "apm-*-transaction*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "packetbeat-*", + "winlogbeat-*" + ], "language": "kuery", "name": "Windows Wireshark activity", "query": "process.name:wireshark.exe", "risk_score": 50, "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", "severity": "low", - "to": "now", + "tags": ["Elastic"], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts index 0d7fb7918b67e..9e4b3a2e54806 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts @@ -38,7 +38,7 @@ export const updatePrepackagedRules = async ( tags, to, type, - threats, + threat, references, version, } = rule; @@ -70,7 +70,7 @@ export const updatePrepackagedRules = async ( tags, to, type, - threats, + threat, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts index c4d78e83eebd6..e37e899c7de51 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts @@ -103,7 +103,7 @@ export const updateRules = async ({ name, severity, tags, - threats, + threat, to, type, references, @@ -133,7 +133,7 @@ export const updateRules = async ({ name, severity, tags, - threats, + threat, to, type, references, @@ -161,7 +161,7 @@ export const updateRules = async ({ maxSignals, riskScore, severity, - threats, + threat, to, type, updatedAt: new Date().toISOString(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson index 4c45ac7a1b38b..e395916363ab6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/import/multiple_ruleid_queries.ndjson @@ -1,3 +1,3 @@ -{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} -{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} +{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} +{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-frank-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} {"exported_count":2,"missing_rules":[],"missing_rules_count":0} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json index f728e3b988206..fec582ce77295 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json @@ -1,11 +1,11 @@ { "name": "Query which has Mitre Attack Data", - "description": "Example query which has Mitre Attack Data as threats", + "description": "Example query which has Mitre Attack Data as threat", "risk_score": 1, "severity": "high", "type": "query", "query": "user.name: root or user.name: admin", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -13,7 +13,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -28,7 +28,7 @@ "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/" }, - "techniques": [ + "technique": [ { "id": "T1002", "name": "Data Compressed", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json index 4a90d904f31ab..082dd5205a142 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_everything.json @@ -40,7 +40,7 @@ "from": "now-6m", "severity": "high", "type": "query", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -48,7 +48,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -63,7 +63,7 @@ "name": "Some other name", "reference": "https://example.com" }, - "techniques": [ + "technique": [ { "id": "some-other-id", "name": "some other technique name", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json index 2b7dbc8cccf0e..9d8b0d6b4922d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_everything.json @@ -40,7 +40,7 @@ "from": "now-6m", "severity": "high", "type": "saved_query", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -48,7 +48,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -63,7 +63,7 @@ "name": "Some other name", "reference": "https://example.com" }, - "techniques": [ + "technique": [ { "id": "some-other-id", "name": "some other technique name", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson index 744bd1e078a41..31acaa5bd9803 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/imports/multiple_ruleid_queries_corrupted.ndjson @@ -1,4 +1,4 @@ -{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1}, -{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} -{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-3","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1} +{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1}, +{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} +{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-3","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threat":[],"version":1} {"exported_count":2,"missing_rules":[],"missing_rules_count":0} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md index ff3e9a8cf0948..2310ba979da20 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md @@ -123,7 +123,7 @@ ancestors -> An array tracking all of the parents of this particular signal. As ``` This is indicating that you have a single parent of an event from the signal (signal -> event) and this document has a single -ancestor of that event. Each 30 seconds that goes it will use de-duplication techniques to ensure that this signal is not re-inserted. If after +ancestor of that event. Each 30 seconds that goes it will use de-duplication technique to ensure that this signal is not re-inserted. If after each 30 seconds you DO SEE multiple signals then the bug is a de-duplication bug and a critical bug. If you ever see a duplicate rule in the ancestors array then that is another CRITICAL bug which needs to be fixed. diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md index 7895e579de3a6..b1a83f5317776 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/halting_test/README.md @@ -102,7 +102,7 @@ ancestors -> An array tracking all of the parents of this particular signal. As ``` This is indicating that you have a single parent of an event from the signal (signal -> event) and this document has a single -ancestor of that event. Each 30 seconds that goes it will use de-duplication techniques to ensure that this signal is not re-inserted. If after +ancestor of that event. Each 30 seconds that goes it will use de-duplication technique to ensure that this signal is not re-inserted. If after each 30 seconds you DO SEE multiple signals then the bug is a de-duplication bug and a critical bug. If you ever see a duplicate rule in the ancestors array then that is another CRITICAL bug which needs to be fixed. diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json index a47d0155727d8..eb210cd8153d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/updates/update_query_everything.json @@ -40,7 +40,7 @@ "from": "now-6m", "severity": "high", "type": "query", - "threats": [ + "threat": [ { "framework": "MITRE ATT&CK", "tactic": { @@ -48,7 +48,7 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "techniques": [ + "technique": [ { "id": "T1499", "name": "endpoint denial of service", @@ -63,7 +63,7 @@ "name": "Some other name", "reference": "https://example.com" }, - "techniques": [ + "technique": [ { "id": "some-other-id", "name": "some other technique name", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json index 8cba054d4d205..48b00930412b4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/sample_signal.json @@ -13,13 +13,8 @@ "id": "e6f890af316a25920c951acefc46bfef", "name": "suricata-iowa", "containerized": false, - "ip": [ - "10.128.0.21", - "fe80::4001:aff:fe80:15" - ], - "mac": [ - "42:01:0a:80:00:15" - ], + "ip": ["10.128.0.21", "fe80::4001:aff:fe80:15"], + "mac": ["42:01:0a:80:00:15"], "hostname": "suricata-iowa" }, "client": { @@ -73,11 +68,8 @@ "bytes": 80 }, "process": { - "args": [ - "\/usr\/bin\/python3", - "\/usr\/bin\/google_network_daemon" - ], - "executable": "\/usr\/bin\/python3.7", + "args": ["/usr/bin/python3", "/usr/bin/google_network_daemon"], + "executable": "/usr/bin/python3.7", "created": "2019-11-04T15:01:04.190Z", "pid": 808, "name": "google_network_" @@ -137,38 +129,26 @@ "rule": { "id": "8d9bb7f1-9d8a-4f13-ae18-ccaf4ff61893", "rule_id": "rule-1", - "false_positives": [ - - ], + "false_positives": [], "max_signals": 100, "risk_score": 1, "description": "Detecting root and admin users", "from": "now-6s", "immutable": false, - "index": [ - "auditbeat-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], + "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "winlogbeat-*"], "interval": "5s", "language": "kuery", - "name": "Detect Root\/Admin Users", + "name": "Detect Root/Admin Users", "query": "user.name: root or user.name: admin", - "references": [ - "http:\/\/www.example.com", - "https:\/\/ww.example.com" - ], + "references": ["http://www.example.com", "https://ww.example.com"], "severity": "high", - "tags": [ - - ], + "tags": [], "type": "query", "to": "now", "enabled": true, "created_by": "elastic", "updated_by": "elastic", - "threats": [ + "threat": [ { "framework": "fake", "technique": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts index 9a79b27bac7e9..6507e6ca73ede 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -33,7 +33,7 @@ export const sampleRuleAlertParams = ( timelineId: undefined, timelineTitle: undefined, meta: undefined, - threats: undefined, + threat: undefined, version: 1, updatedAt: '2019-12-17T15:04:25.343Z', createdAt: '2019-12-17T15:04:37.105Z', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts index 1093ff3a8a462..ba1b2f695156b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts @@ -56,7 +56,7 @@ export const buildRule = ({ filters: ruleParams.filters, created_by: createdBy, updated_by: updatedBy, - threats: ruleParams.threats, + threat: ruleParams.threat, version: ruleParams.version, created_at: ruleParams.createdAt, updated_at: ruleParams.updatedAt, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts index 5b0185cf3a6f8..370ed65280849 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -53,7 +53,7 @@ export const signalRulesAlertType = ({ maxSignals: schema.number({ defaultValue: DEFAULT_MAX_SIGNALS }), riskScore: schema.number(), severity: schema.string(), - threats: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))), + threat: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))), to: schema.string(), type: schema.string(), updatedAt: schema.string(), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts index c7bd92322360a..d1c9845dbbcfc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts @@ -18,7 +18,7 @@ export interface IMitreAttack { export interface ThreatParams { framework: string; tactic: IMitreAttack; - techniques: IMitreAttack[]; + technique: IMitreAttack[]; } export interface RuleAlertParams { @@ -46,7 +46,7 @@ export interface RuleAlertParams { to: string; timelineId: string | undefined | null; timelineTitle: string | undefined | null; - threats: ThreatParams[] | undefined | null; + threat: ThreatParams[] | undefined | null; type: 'query' | 'saved_query'; version: number; updatedAt: string; diff --git a/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts b/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts index 237e419368376..f85fb2c9fd753 100644 --- a/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts @@ -307,7 +307,7 @@ export const signalFieldsMap: Readonly> = { 'signal.rule.references': 'signal.rule.references', 'signal.rule.severity': 'signal.rule.severity', 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threats': 'signal.rule.threats', + 'signal.rule.threat': 'signal.rule.threat', 'signal.rule.type': 'signal.rule.type', 'signal.rule.size': 'signal.rule.size', 'signal.rule.enabled': 'signal.rule.enabled',