Skip to content

Commit

Permalink
re-generated index file
Browse files Browse the repository at this point in the history
  • Loading branch information
@FrankHassanabad
FrankHassanabad committed Jan 28, 2020
1 parent 1a8014b commit bcc0893
Showing 1 changed file with 111 additions and 201 deletions.
312 changes: 111 additions & 201 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,162 +9,117 @@

import rule1 from './403_response_to_a_post.json';
import rule2 from './405_response_method_not_allowed.json';
import rule3 from './500_response_on_admin_page.json';
import rule4 from './elastic_endpoint_security_adversary_behavior_detected.json';
import rule5 from './elastic_endpoint_security_cred_dumping_detected.json';
import rule6 from './elastic_endpoint_security_cred_dumping_prevented.json';
import rule7 from './elastic_endpoint_security_cred_manipulation_detected.json';
import rule8 from './elastic_endpoint_security_cred_manipulation_prevented.json';
import rule9 from './elastic_endpoint_security_exploit_detected.json';
import rule10 from './elastic_endpoint_security_exploit_prevented.json';
import rule11 from './elastic_endpoint_security_malware_detected.json';
import rule12 from './elastic_endpoint_security_malware_prevented.json';
import rule13 from './elastic_endpoint_security_permission_theft_detected.json';
import rule14 from './elastic_endpoint_security_permission_theft_prevented.json';
import rule15 from './elastic_endpoint_security_process_injection_detected.json';
import rule16 from './elastic_endpoint_security_process_injection_prevented.json';
import rule17 from './elastic_endpoint_security_ransomware_detected.json';
import rule18 from './elastic_endpoint_security_ransomware_prevented.json';
import rule19 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json';
import rule20 from './eql_adobe_hijack_persistence.json';
import rule21 from './eql_audio_capture_via_powershell.json';
import rule22 from './eql_audio_capture_via_soundrecorder.json';
import rule23 from './eql_bypass_uac_event_viewer.json';
import rule24 from './eql_bypass_uac_via_cmstp.json';
import rule25 from './eql_bypass_uac_via_sdclt.json';
import rule26 from './eql_clearing_windows_event_logs.json';
import rule27 from './eql_delete_volume_usn_journal_with_fsutil.json';
import rule28 from './eql_deleting_backup_catalogs_with_wbadmin.json';
import rule29 from './eql_direct_outbound_smb_connection.json';
import rule30 from './eql_disable_windows_firewall_rules_with_netsh.json';
import rule31 from './eql_dll_search_order_hijack.json';
import rule32 from './eql_encoding_or_decoding_files_via_certutil.json';
import rule33 from './eql_local_scheduled_task_commands.json';
import rule34 from './eql_local_service_commands.json';
import rule35 from './eql_modification_of_boot_configuration.json';
import rule36 from './eql_msbuild_making_network_connections.json';
import rule37 from './eql_mshta_making_network_connections.json';
import rule38 from './eql_msxsl_making_network_connections.json';
import rule39 from './eql_psexec_lateral_movement_command.json';
import rule40 from './eql_suspicious_ms_office_child_process.json';
import rule41 from './eql_suspicious_ms_outlook_child_process.json';
import rule42 from './eql_suspicious_pdf_reader_child_process.json';
import rule43 from './eql_system_shells_via_services.json';
import rule44 from './eql_unusual_network_connection_via_rundll32.json';
import rule45 from './eql_unusual_parentchild_relationship.json';
import rule46 from './eql_unusual_process_network_connection.json';
import rule47 from './eql_user_account_creation.json';
import rule48 from './eql_user_added_to_administrator_group.json';
import rule49 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
import rule50 from './eql_volume_shadow_copy_deletion_via_wmic.json';
import rule51 from './eql_windows_script_executing_powershell.json';
import rule52 from './eql_wmic_command_lateral_movement.json';
import rule53 from './linux_hping_activity.json';
import rule54 from './linux_iodine_activity.json';
import rule55 from './linux_kernel_module_activity.json';
import rule56 from './linux_ldso_process_activity.json';
import rule57 from './linux_lzop_activity.json';
import rule58 from './linux_mknod_activity.json';
import rule59 from './linux_netcat_network_connection.json';
import rule60 from './linux_network_anomalous_process_using_https_ports.json';
import rule61 from './linux_nmap_activity.json';
import rule62 from './linux_nping_activity.json';
import rule63 from './linux_process_started_in_temp_directory.json';
import rule64 from './linux_ptrace_activity.json';
import rule65 from './linux_rawshark_activity.json';
import rule66 from './linux_shell_activity_by_web_server.json';
import rule67 from './linux_socat_activity.json';
import rule68 from './linux_ssh_forwarding.json';
import rule69 from './linux_strace_activity.json';
import rule70 from './linux_tcpdump_activity.json';
import rule71 from './linux_web_download.json';
import rule72 from './linux_whoami_commmand.json';
import rule73 from './network_dns_directly_to_the_internet.json';
import rule74 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
import rule75 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
import rule76 from './network_nat_traversal_port_activity.json';
import rule77 from './network_port_26_activity.json';
import rule78 from './network_port_8000_activity.json';
import rule79 from './network_port_8000_activity_to_the_internet.json';
import rule80 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
import rule81 from './network_proxy_port_activity_to_the_internet.json';
import rule82 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
import rule83 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
import rule84 from './network_rpc_remote_procedure_call_from_the_internet.json';
import rule85 from './network_rpc_remote_procedure_call_to_the_internet.json';
import rule86 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
import rule87 from './network_smtp_to_the_internet.json';
import rule88 from './network_sql_server_port_activity_to_the_internet.json';
import rule89 from './network_ssh_secure_shell_from_the_internet.json';
import rule90 from './network_ssh_secure_shell_to_the_internet.json';
import rule91 from './network_telnet_port_activity.json';
import rule92 from './network_tor_activity_to_the_internet.json';
import rule93 from './network_vnc_virtual_network_computing_from_the_internet.json';
import rule94 from './network_vnc_virtual_network_computing_to_the_internet.json';
import rule95 from './null_user_agent.json';
import rule96 from './sqlmap_user_agent.json';
import rule97 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
import rule98 from './windows_burp_ce_activity.json';
import rule99 from './windows_certutil_connecting_to_the_internet.json';
import rule100 from './windows_command_prompt_connecting_to_the_internet.json';
import rule101 from './windows_command_shell_started_by_internet_explorer.json';
import rule102 from './windows_command_shell_started_by_powershell.json';
import rule103 from './windows_command_shell_started_by_svchost.json';
import rule104 from './windows_credential_dumping_commands.json';
import rule105 from './windows_credential_dumping_via_imageload.json';
import rule106 from './windows_credential_dumping_via_registry_save.json';
import rule107 from './windows_data_compression_using_powershell.json';
import rule108 from './windows_defense_evasion_decoding_using_certutil.json';
import rule109 from './windows_defense_evasion_or_persistence_via_hidden_files.json';
import rule110 from './windows_defense_evasion_via_filter_manager.json';
import rule111 from './windows_defense_evasion_via_windows_event_log_tools.json';
import rule112 from './windows_execution_via_compiled_html_file.json';
import rule113 from './windows_execution_via_connection_manager.json';
import rule114 from './windows_execution_via_microsoft_html_application_hta.json';
import rule115 from './windows_execution_via_net_com_assemblies.json';
import rule116 from './windows_execution_via_regsvr32.json';
import rule117 from './windows_execution_via_trusted_developer_utilities.json';
import rule118 from './windows_html_help_executable_program_connecting_to_the_internet.json';
import rule119 from './windows_image_load_from_a_temp_directory.json';
import rule120 from './windows_indirect_command_execution.json';
import rule121 from './windows_iodine_activity.json';
import rule122 from './windows_management_instrumentation_wmi_execution.json';
import rule123 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json';
import rule124 from './windows_mimikatz_activity.json';
import rule125 from './windows_misc_lolbin_connecting_to_the_internet.json';
import rule126 from './windows_net_command_activity_by_the_system_account.json';
import rule127 from './windows_net_user_command_activity.json';
import rule128 from './windows_netcat_activity.json';
import rule129 from './windows_netcat_network_activity.json';
import rule130 from './windows_network_anomalous_windows_process_using_https_ports.json';
import rule131 from './windows_nmap_activity.json';
import rule132 from './windows_nmap_scan_activity.json';
import rule133 from './windows_payload_obfuscation_via_certutil.json';
import rule134 from './windows_persistence_or_priv_escalation_via_hooking.json';
import rule135 from './windows_persistence_via_application_shimming.json';
import rule136 from './windows_persistence_via_bits_jobs.json';
import rule137 from './windows_persistence_via_modification_of_existing_service.json';
import rule138 from './windows_persistence_via_netshell_helper_dll.json';
import rule139 from './windows_powershell_connecting_to_the_internet.json';
import rule140 from './windows_priv_escalation_via_accessibility_features.json';
import rule141 from './windows_process_discovery_via_tasklist_command.json';
import rule142 from './windows_process_execution_via_wmi.json';
import rule143 from './windows_process_started_by_acrobat_reader_possible_payload.json';
import rule144 from './windows_process_started_by_ms_office_program_possible_payload.json';
import rule145 from './windows_process_started_by_the_java_runtime.json';
import rule146 from './windows_psexec_activity.json';
import rule147 from './windows_register_server_program_connecting_to_the_internet.json';
import rule148 from './windows_registry_query_local.json';
import rule149 from './windows_registry_query_network.json';
import rule150 from './windows_remote_management_execution.json';
import rule151 from './windows_scheduled_task_activity.json';
import rule152 from './windows_script_interpreter_connecting_to_the_internet.json';
import rule153 from './windows_signed_binary_proxy_execution.json';
import rule154 from './windows_signed_binary_proxy_execution_download.json';
import rule155 from './windows_suspicious_process_started_by_a_script.json';
import rule156 from './windows_whoami_command_activity.json';
import rule157 from './windows_windump_activity.json';
import rule158 from './windows_wireshark_activity.json';
import rule3 from './elastic_endpoint_security_adversary_behavior_detected.json';
import rule4 from './elastic_endpoint_security_cred_dumping_detected.json';
import rule5 from './elastic_endpoint_security_cred_dumping_prevented.json';
import rule6 from './elastic_endpoint_security_cred_manipulation_detected.json';
import rule7 from './elastic_endpoint_security_cred_manipulation_prevented.json';
import rule8 from './elastic_endpoint_security_exploit_detected.json';
import rule9 from './elastic_endpoint_security_exploit_prevented.json';
import rule10 from './elastic_endpoint_security_malware_detected.json';
import rule11 from './elastic_endpoint_security_malware_prevented.json';
import rule12 from './elastic_endpoint_security_permission_theft_detected.json';
import rule13 from './elastic_endpoint_security_permission_theft_prevented.json';
import rule14 from './elastic_endpoint_security_process_injection_detected.json';
import rule15 from './elastic_endpoint_security_process_injection_prevented.json';
import rule16 from './elastic_endpoint_security_ransomware_detected.json';
import rule17 from './elastic_endpoint_security_ransomware_prevented.json';
import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json';
import rule19 from './eql_adobe_hijack_persistence.json';
import rule20 from './eql_audio_capture_via_powershell.json';
import rule21 from './eql_audio_capture_via_soundrecorder.json';
import rule22 from './eql_bypass_uac_event_viewer.json';
import rule23 from './eql_bypass_uac_via_cmstp.json';
import rule24 from './eql_bypass_uac_via_sdclt.json';
import rule25 from './eql_clearing_windows_event_logs.json';
import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json';
import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json';
import rule28 from './eql_direct_outbound_smb_connection.json';
import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json';
import rule30 from './eql_dll_search_order_hijack.json';
import rule31 from './eql_encoding_or_decoding_files_via_certutil.json';
import rule32 from './eql_local_scheduled_task_commands.json';
import rule33 from './eql_local_service_commands.json';
import rule34 from './eql_modification_of_boot_configuration.json';
import rule35 from './eql_msbuild_making_network_connections.json';
import rule36 from './eql_mshta_making_network_connections.json';
import rule37 from './eql_msxsl_making_network_connections.json';
import rule38 from './eql_psexec_lateral_movement_command.json';
import rule39 from './eql_suspicious_ms_office_child_process.json';
import rule40 from './eql_suspicious_ms_outlook_child_process.json';
import rule41 from './eql_suspicious_pdf_reader_child_process.json';
import rule42 from './eql_system_shells_via_services.json';
import rule43 from './eql_unusual_network_connection_via_rundll32.json';
import rule44 from './eql_unusual_parentchild_relationship.json';
import rule45 from './eql_unusual_process_network_connection.json';
import rule46 from './eql_user_account_creation.json';
import rule47 from './eql_user_added_to_administrator_group.json';
import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json';
import rule50 from './eql_windows_script_executing_powershell.json';
import rule51 from './eql_wmic_command_lateral_movement.json';
import rule52 from './linux_hping_activity.json';
import rule53 from './linux_iodine_activity.json';
import rule54 from './linux_kernel_module_activity.json';
import rule55 from './linux_ldso_process_activity.json';
import rule56 from './linux_mknod_activity.json';
import rule57 from './linux_netcat_network_connection.json';
import rule58 from './linux_nmap_activity.json';
import rule59 from './linux_nping_activity.json';
import rule60 from './linux_process_started_in_temp_directory.json';
import rule61 from './linux_shell_activity_by_web_server.json';
import rule62 from './linux_socat_activity.json';
import rule63 from './linux_ssh_forwarding.json';
import rule64 from './linux_strace_activity.json';
import rule65 from './linux_tcpdump_activity.json';
import rule66 from './linux_whoami_commmand.json';
import rule67 from './network_dns_directly_to_the_internet.json';
import rule68 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
import rule69 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
import rule70 from './network_nat_traversal_port_activity.json';
import rule71 from './network_port_26_activity.json';
import rule72 from './network_port_8000_activity_to_the_internet.json';
import rule73 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
import rule74 from './network_proxy_port_activity_to_the_internet.json';
import rule75 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
import rule76 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
import rule77 from './network_rpc_remote_procedure_call_from_the_internet.json';
import rule78 from './network_rpc_remote_procedure_call_to_the_internet.json';
import rule79 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
import rule80 from './network_smtp_to_the_internet.json';
import rule81 from './network_sql_server_port_activity_to_the_internet.json';
import rule82 from './network_ssh_secure_shell_from_the_internet.json';
import rule83 from './network_ssh_secure_shell_to_the_internet.json';
import rule84 from './network_telnet_port_activity.json';
import rule85 from './network_tor_activity_to_the_internet.json';
import rule86 from './network_vnc_virtual_network_computing_from_the_internet.json';
import rule87 from './network_vnc_virtual_network_computing_to_the_internet.json';
import rule88 from './null_user_agent.json';
import rule89 from './sqlmap_user_agent.json';
import rule90 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
import rule91 from './windows_certutil_connecting_to_the_internet.json';
import rule92 from './windows_command_prompt_connecting_to_the_internet.json';
import rule93 from './windows_command_shell_started_by_internet_explorer.json';
import rule94 from './windows_command_shell_started_by_powershell.json';
import rule95 from './windows_command_shell_started_by_svchost.json';
import rule96 from './windows_defense_evasion_via_filter_manager.json';
import rule97 from './windows_execution_via_compiled_html_file.json';
import rule98 from './windows_execution_via_connection_manager.json';
import rule99 from './windows_execution_via_net_com_assemblies.json';
import rule100 from './windows_execution_via_regsvr32.json';
import rule101 from './windows_execution_via_trusted_developer_utilities.json';
import rule102 from './windows_html_help_executable_program_connecting_to_the_internet.json';
import rule103 from './windows_misc_lolbin_connecting_to_the_internet.json';
import rule104 from './windows_net_command_activity_by_the_system_account.json';
import rule105 from './windows_persistence_via_application_shimming.json';
import rule106 from './windows_priv_escalation_via_accessibility_features.json';
import rule107 from './windows_process_discovery_via_tasklist_command.json';
import rule108 from './windows_process_execution_via_wmi.json';
import rule109 from './windows_register_server_program_connecting_to_the_internet.json';
import rule110 from './windows_signed_binary_proxy_execution.json';
import rule111 from './windows_signed_binary_proxy_execution_download.json';
import rule112 from './windows_suspicious_process_started_by_a_script.json';
import rule113 from './windows_whoami_command_activity.json';
export const rawRules = [
rule1,
rule2,
Expand Down Expand Up @@ -279,49 +234,4 @@ export const rawRules = [
rule111,
rule112,
rule113,
rule114,
rule115,
rule116,
rule117,
rule118,
rule119,
rule120,
rule121,
rule122,
rule123,
rule124,
rule125,
rule126,
rule127,
rule128,
rule129,
rule130,
rule131,
rule132,
rule133,
rule134,
rule135,
rule136,
rule137,
rule138,
rule139,
rule140,
rule141,
rule142,
rule143,
rule144,
rule145,
rule146,
rule147,
rule148,
rule149,
rule150,
rule151,
rule152,
rule153,
rule154,
rule155,
rule156,
rule157,
rule158,
];

0 comments on commit bcc0893

Please sign in to comment.