[SIEM][Detection Engine] Final final rule changes (#56806) (#56819)

## Summary

* Final, final, Rule changes

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

NOTICE.txt

@@ -162,8 +162,6 @@ which is available under a "MIT" license. The files based on this license are:
 - windows_priv_escalation_via_accessibility_features.json
 - windows_persistence_via_application_shimming.json
 - windows_execution_via_trusted_developer_utilities.json
-- windows_execution_via_net_com_assemblies.json
-- windows_execution_via_connection_manager.json
 
 MIT License
 

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json

@@ -1,13 +1,13 @@
 {
-  "description": "A POST request to web application returned a 403 response which indicates the web application declined to process the request because the action requested was disallowed.",
+  "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed",
   "false_positives": [
-    "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity."
+    "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
   ],
   "index": [
     "apm-*-transaction*"
   ],
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Web Application Suspicious Activity: POST Request Declined",
   "query": "http.response.status_code:403 and http.request.method:post",
   "references": [

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json

@@ -1,13 +1,13 @@
 {
-  "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method was not allowed for the resource.",
+  "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource",
   "false_positives": [
-    "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity."
+    "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
   ],
   "index": [
     "apm-*-transaction*"
   ],
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Web Application Suspicious Activity: Unauthorized Method",
   "query": "http.response.status_code:405",
   "references": [

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Adversary behavior detected.",
+  "description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Adversary Behavior - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event",
   "risk_score": 47,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json

@@ -1,11 +1,13 @@
 {
-  "description": "Elastic Endpoint Security Alert - Credential dumping detected.",
+  "description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
-  "name": "Cred Dumping - Detected - Elastic Endpoint",
+  "max_signals": 100,
+  "name": "Credential Dumping - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection",
   "risk_score": 73,
   "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e",

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json

@@ -1,11 +1,13 @@
 {
-  "description": "Elastic Endpoint Security Alert - Credential dumping prevented.",
+  "description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
-  "name": "Cred Dumping - Prevented - Elastic Endpoint",
+  "max_signals": 100,
+  "name": "Credential Dumping - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention",
   "risk_score": 47,
   "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13",

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json

@@ -1,11 +1,13 @@
 {
-  "description": "Elastic Endpoint Security Alert - Credential manipulation detected.",
+  "description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
-  "name": "Cred Manipulation - Detected - Elastic Endpoint",
+  "max_signals": 100,
+  "name": "Credential Manipulation - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection",
   "risk_score": 73,
   "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f",

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json

@@ -1,17 +1,20 @@
 {
-  "description": "Elastic Endpoint Security Alert - Credential manipulation prevented.",
+  "description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
-  "name": "Cred Manipulation - Prevented - Elastic Endpoint",
+  "max_signals": 100,
+  "name": "Credential Manipulation - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention",
   "risk_score": 47,
   "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa",
   "severity": "medium",
   "tags": [
-    "Elastic"
+    "Elastic",
+    "Endpoint"
   ],
   "type": "query",
   "version": 1

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Exploit detected.",
+  "description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Exploit - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection",
   "risk_score": 73,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Exploit prevented.",
+  "description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Exploit - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention",
   "risk_score": 47,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Malware detected.",
+  "description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Malware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection",
   "risk_score": 99,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Malware prevented.",
+  "description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Malware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention",
   "risk_score": 73,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Permission theft detected.",
+  "description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Permission Theft - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection",
   "risk_score": 73,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Permission theft prevented.",
+  "description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Permission Theft - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention",
   "risk_score": 47,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Process injection detected.",
+  "description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Process Injection - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection",
   "risk_score": 73,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Process injection prevented.",
+  "description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Process Injection - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention",
   "risk_score": 47,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Ransomware detected.",
+  "description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Ransomware - Detected - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection",
   "risk_score": 99,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json

@@ -1,10 +1,12 @@
 {
-  "description": "Elastic Endpoint Security Alert - Ransomware prevented.",
+  "description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.",
+  "from": "now-660s",
   "index": [
     "endgame-*"
   ],
+  "interval": "10m",
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Ransomware - Prevented - Elastic Endpoint",
   "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention",
   "risk_score": 73,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json

@@ -1,10 +1,10 @@
 {
-  "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection",
+  "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.",
   "index": [
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Adding Hidden File Attribute via Attrib",
   "query": "    event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"",
   "risk_score": 21,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json

@@ -4,7 +4,7 @@
     "winlogbeat-*"
   ],
   "language": "kuery",
-  "max_signals": 33,
+  "max_signals": 100,
   "name": "Adobe Hijack Persistence",
   "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
   "risk_score": 21,