From 8969a1741f8fdbc63c3be868b22fe9cbd85da9e5 Mon Sep 17 00:00:00 2001 From: Craig Date: Tue, 21 Jan 2020 21:39:19 -0500 Subject: [PATCH] rules part deux cuts and metadata additions --- ...den_file_attribute_with_via_attribexe.json | 41 +- .../eql_adobe_hijack_persistence.json | 26 +- .../eql_audio_capture_via_powershell.json | 26 +- .../eql_audio_capture_via_soundrecorder.json | 26 +- .../eql_bypass_uac_event_viewer.json | 26 +- .../eql_bypass_uac_via_cmstp.json | 26 +- .../eql_bypass_uac_via_sdclt.json | 26 +- .../eql_clearing_windows_event_logs.json | 26 +- ...delete_volume_usn_journal_with_fsutil.json | 26 +- ...deleting_backup_catalogs_with_wbadmin.json | 26 +- .../eql_direct_outbound_smb_connection.json | 26 +- ...ble_windows_firewall_rules_with_netsh.json | 26 +- .../eql_dll_search_order_hijack.json | 41 +- ...coding_or_decoding_files_via_certutil.json | 26 +- .../eql_local_scheduled_task_commands.json | 26 +- .../eql_local_service_commands.json | 26 +- ...ql_modification_of_boot_configuration.json | 28 +- ...ql_msbuild_making_network_connections.json | 26 +- .../eql_mshta_making_network_connections.json | 29 +- .../eql_msxsl_making_network_connections.json | 26 +- .../eql_psexec_lateral_movement_command.json | 7 +- ...ql_suspicious_ms_office_child_process.json | 26 +- ...l_suspicious_ms_outlook_child_process.json | 26 +- ...l_suspicious_pdf_reader_child_process.json | 26 +- .../eql_system_shells_via_services.json | 26 +- ...usual_network_connection_via_rundll32.json | 26 +- .../eql_unusual_parentchild_relationship.json | 26 +- ...ql_unusual_process_network_connection.json | 26 +- .../eql_user_account_creation.json | 24 +- ...eql_user_added_to_administrator_group.json | 26 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 28 +- ..._volume_shadow_copy_deletion_via_wmic.json | 28 +- ...l_windows_script_executing_powershell.json | 24 +- .../eql_wmic_command_lateral_movement.json | 26 +- .../rules/prepackaged_rules/index.ts | 444 +++--------------- .../linux_kernel_module_activity.json | 37 +- ...nux_process_started_in_temp_directory.json | 17 +- .../linux_shell_activity_by_web_server.json | 33 +- .../linux_whoami_commmand.json | 32 +- ...ed_invokecommand_powershell_execution.json | 43 -- ...ncoded_newobject_powershell_execution.json | 43 -- ...ded_startprocess_powershell_execution.json | 43 -- ...gory_a_suspicious_string_was_detected.json | 17 - ...ttempted_administrator_privilege_gain.json | 17 - ..._category_attempted_denial_of_service.json | 17 - ...a_category_attempted_information_leak.json | 17 - ...empted_login_with_suspicious_username.json | 17 - ...ategory_attempted_user_privilege_gain.json | 17 - ...ta_category_client_using_unusual_port.json | 17 - ...egory_crypto_currency_mining_activity.json | 17 - ...icata_category_decode_of_an_rpc_query.json | 17 - ...t_username_and_password_login_attempt.json | 17 - .../suricata_category_denial_of_service.json | 17 - ...ata_category_denial_of_service_attack.json | 17 - ...category_executable_code_was_detected.json | 17 - ...uricata_category_exploit_kit_activity.json | 17 - ...ategory_external_ip_address_retrieval.json | 17 - .../suricata_category_generic_icmp_event.json | 17 - ...egory_generic_protocol_command_decode.json | 17 - .../suricata_category_information_leak.json | 17 - ...category_large_scale_information_leak.json | 17 - ..._malware_command_and_control_activity.json | 17 - .../suricata_category_misc_activity.json | 17 - .../suricata_category_misc_attack.json | 17 - ...ricata_category_network_scan_detected.json | 17 - ...cata_category_network_trojan_detected.json | 17 - ...ategory_nonstandard_protocol_or_event.json | 17 - ...icata_category_not_suspicious_traffic.json | 17 - .../suricata_category_observed_c2_domain.json | 17 - ...possible_social_engineering_attempted.json | 17 - ...ta_category_possibly_unwanted_program.json | 17 - ...potential_corporate_privacy_violation.json | 17 - ...cata_category_potentially_bad_traffic.json | 17 - ...lly_vulnerable_web_application_access.json | 17 - ...ccessful_administrator_privilege_gain.json | 17 - ..._category_successful_credential_theft.json | 17 - ...tegory_successful_user_privilege_gain.json | 17 - ...category_suspicious_filename_detected.json | 17 - ...uricata_category_system_call_detected.json | 17 - ..._category_targeted_malicious_activity.json | 17 - ...cata_category_tcp_connection_detected.json | 17 - .../suricata_category_unknown_traffic.json | 17 - ...gory_unsuccessful_user_privilege_gain.json | 17 - ...icata_category_web_application_attack.json | 17 - ...baltstrike_artifact_in_an_dns_request.json | 17 - ...a_commonly_abused_dns_domain_detected.json | 17 - ...eversal_characters_in_an_http_request.json | 17 - ...aversal_characters_in_an_http_request.json | 38 -- ...traversal_characters_in_http_response.json | 38 -- ...tory_traversal_in_downloaded_zip_file.json | 38 -- ...icata_dns_traffic_on_unusual_tcp_port.json | 38 -- ...icata_dns_traffic_on_unusual_udp_port.json | 17 - ...ta_double_encoded_characters_in_a_uri.json | 17 - ...le_encoded_characters_in_an_http_post.json | 17 - ...le_encoded_characters_in_http_request.json | 38 -- ..._eval_php_function_in_an_http_request.json | 17 - .../suricata_exploit_cve_2018_1000861.json | 35 -- .../suricata_exploit_cve_2019_0227.json | 35 -- .../suricata_exploit_cve_2019_0232.json | 35 -- .../suricata_exploit_cve_2019_0604.json | 35 -- .../suricata_exploit_cve_2019_0708.json | 35 -- .../suricata_exploit_cve_2019_0752.json | 35 -- .../suricata_exploit_cve_2019_1003000.json | 35 -- .../suricata_exploit_cve_2019_10149.json | 35 -- .../suricata_exploit_cve_2019_11043.json | 35 -- .../suricata_exploit_cve_2019_11510.json | 35 -- .../suricata_exploit_cve_2019_11580.json | 35 -- .../suricata_exploit_cve_2019_11581.json | 35 -- .../suricata_exploit_cve_2019_13450.json | 35 -- .../suricata_exploit_cve_2019_13505.json | 35 -- .../suricata_exploit_cve_2019_15107.json | 35 -- .../suricata_exploit_cve_2019_15846.json | 35 -- .../suricata_exploit_cve_2019_16072.json | 35 -- .../suricata_exploit_cve_2019_1652.json | 35 -- .../suricata_exploit_cve_2019_16662.json | 35 -- .../suricata_exploit_cve_2019_16759.json | 35 -- .../suricata_exploit_cve_2019_16928.json | 35 -- .../suricata_exploit_cve_2019_17270.json | 35 -- .../suricata_exploit_cve_2019_1821.json | 35 -- .../suricata_exploit_cve_2019_19781.json | 35 -- .../suricata_exploit_cve_2019_2618.json | 35 -- .../suricata_exploit_cve_2019_2725.json | 35 -- .../suricata_exploit_cve_2019_3396.json | 35 -- .../suricata_exploit_cve_2019_3929.json | 35 -- .../suricata_exploit_cve_2019_5533.json | 35 -- .../suricata_exploit_cve_2019_6340.json | 35 -- .../suricata_exploit_cve_2019_7256.json | 35 -- .../suricata_exploit_cve_2019_9978.json | 35 -- ..._on_unusual_port_internet_destination.json | 17 - ..._on_unusual_port_internet_destination.json | 17 - ..._on_unusual_port_internet_destination.json | 17 - ...cata_lazagne_artifact_in_an_http_post.json | 17 - ...ta_mimikatz_artifacts_in_an_http_post.json | 17 - ...katz_string_detected_in_http_response.json | 17 - ...uricata_nondns_traffic_on_tcp_port_53.json | 17 - ...uricata_nondns_traffic_on_udp_port_53.json | 17 - .../suricata_nonftp_traffic_on_port_21.json | 17 - ...ricata_nonhttp_traffic_on_tcp_port_80.json | 17 - ...ata_nonimap_traffic_on_port_1443_imap.json | 17 - ...ta_nonsmb_traffic_on_tcp_port_139_smb.json | 17 - .../suricata_nonssh_traffic_on_port_22.json | 17 - .../suricata_nontls_on_tls_port.json | 17 - ...alt_strike_malleable_c2_null_response.json | 17 - ...ion_sql_commands_in_http_transactions.json | 17 - .../suricata_rpc_traffic_on_http_ports.json | 17 - .../suricata_serialized_php_detected.json | 17 - ...ell_exec_php_function_in_an_http_post.json | 17 - ...c_not_on_port_22_internet_destination.json | 17 - ..._on_unusual_port_internet_destination.json | 17 - ...executable_served_by_jpeg_web_content.json | 17 - .../zeek_notice_capturelosstoo_much_loss.json | 17 - .../zeek_notice_conncontent_gap.json | 17 - ...tice_connretransmission_inconsistency.json | 17 - .../zeek_notice_dnsexternal_name.json | 17 - .../zeek_notice_ftpbruteforcing.json | 17 - .../zeek_notice_ftpsite_exec_success.json | 17 - ...notice_heartbleedssl_heartbeat_attack.json | 17 - ...eartbleedssl_heartbeat_attack_success.json | 17 - ...heartbleedssl_heartbeat_many_requests.json | 17 - ...ce_heartbleedssl_heartbeat_odd_length.json | 17 - ...eek_notice_httpsql_injection_attacker.json | 17 - .../zeek_notice_httpsql_injection_victim.json | 17 - .../zeek_notice_intelnotice.json | 17 - .../zeek_notice_noticetally.json | 17 - ...ice_packetfiltercannot_bpf_shunt_conn.json | 17 - ...ek_notice_packetfiltercompile_failure.json | 17 - ...ek_notice_packetfilterdropped_packets.json | 17 - ...ek_notice_packetfilterinstall_failure.json | 17 - ...etfilterno_more_conn_shunts_available.json | 17 - ...acketfiltertoo_long_to_compile_filter.json | 17 - ...notice_protocoldetectorprotocol_found.json | 17 - ...k_notice_protocoldetectorserver_found.json | 17 - .../zeek_notice_scanaddress_scan.json | 17 - .../zeek_notice_scanport_scan.json | 17 - ...zeek_notice_signaturescount_signature.json | 17 - ...ice_signaturesmultiple_sig_responders.json | 17 - ..._notice_signaturesmultiple_signatures.json | 17 - ..._notice_signaturessensitive_signature.json | 17 - ...ek_notice_signaturessignature_summary.json | 17 - ...eek_notice_smtpblocklist_blocked_host.json | 17 - ...ek_notice_smtpblocklist_error_message.json | 17 - ...eek_notice_smtpsuspicious_origination.json | 17 - ...otice_softwaresoftware_version_change.json | 17 - ...eek_notice_softwarevulnerable_version.json | 17 - ..._notice_sshinteresting_hostname_login.json | 17 - ...k_notice_sshlogin_by_password_guesser.json | 17 - .../zeek_notice_sshpassword_guessing.json | 17 - .../zeek_notice_sshwatched_country_login.json | 17 - .../zeek_notice_sslcertificate_expired.json | 17 - ...ek_notice_sslcertificate_expires_soon.json | 17 - ...k_notice_sslcertificate_not_valid_yet.json | 17 - .../zeek_notice_sslinvalid_ocsp_response.json | 17 - .../zeek_notice_sslinvalid_server_cert.json | 17 - .../zeek_notice_sslold_version.json | 17 - .../zeek_notice_sslweak_cipher.json | 17 - .../zeek_notice_sslweak_key.json | 17 - ...ice_teamcymrumalwarehashregistrymatch.json | 17 - .../zeek_notice_traceroutedetected.json | 17 - .../zeek_notice_weirdactivity.json | 17 - 199 files changed, 970 insertions(+), 3972 deletions(-) delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index a65a386cb827e7..e5280d19f8e4a5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,16 +1,51 @@ { - "description": "EQL - Adding the Hidden File Attribute with via attrib.exe", + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Adding the Hidden File Attribute with via attrib.exe", + "name": "Adding the Hidden File Attribute with via attrib.exe", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", - "risk_score": 50, + "risk_score": 25, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1158", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1158/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "techniques": [ + { + "id": "T1158", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1158/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index e5d797f3fc1319..0fac9b17160e2a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,16 +1,36 @@ { - "description": "EQL - Adobe Hijack Persistence", + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Adobe Hijack Persistence", + "name": "Adobe Hijack Persistence", "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", - "risk_score": 50, + "risk_score": 25, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "techniques": [ + { + "id": "T1044", + "name": "File System Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1044/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index ef65bd3ecef35d..0506d033489132 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -1,16 +1,36 @@ { - "description": "EQL - Audio Capture via PowerShell", + "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Audio Capture via PowerShell", + "name": "Audio Capture via PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", - "risk_score": 50, + "risk_score": 25, "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "techniques": [ + { + "id": "T1123", + "name": "Audio Capture", + "reference": "https://attack.mitre.org/techniques/T1123/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index 89eec55d827d6d..392eeb3980c9fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -1,16 +1,36 @@ { - "description": "EQL - Audio Capture via SoundRecorder", + "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Audio Capture via SoundRecorder", + "name": "Audio Capture via SoundRecorder", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", - "risk_score": 50, + "risk_score": 25, "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "techniques": [ + { + "id": "T1123", + "name": "Audio Capture", + "reference": "https://attack.mitre.org/techniques/T1123/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index 80f83991516a67..ecbc9a2dd46c41 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -1,16 +1,36 @@ { - "description": "EQL -Bypass UAC Event Viewer", + "description": "Identifies User Account Control (UAC) bypass via eventvwr. Attackers bypass UAC to stealthily execute code with elevated permissions.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL -Bypass UAC Event Viewer", + "name": "Bypass UAC via Event Viewer", "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "techniques": [ + { + "id": "T1088", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1088/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index 0850632c95899d..2518fda68ee0f6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -1,16 +1,36 @@ { - "description": "EQL - Bypass UAC via CMSTP", + "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Bypass UAC via CMSTP", + "name": "Bypass UAC via CMSTP", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "techniques": [ + { + "id": "T1088", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1088/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index 85ba24fd572c37..c419dc080ec3cb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -1,16 +1,36 @@ { - "description": "EQL -Bypass UAC Via sdclt", + "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL -Bypass UAC Via sdclt", + "name": "Bypass UAC via SDCLT", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "techniques": [ + { + "id": "T1088", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1088/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index 28f45b94049e78..bcf9b02a0210f6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,16 +1,36 @@ { - "description": "EQL - Clearing Windows Event Logs", + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Clearing Windows Event Logs", + "name": "Clearing Windows Event Logs", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1070", + "name": "Indicator Removal on Host", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 6f00427656af6f..5a9ba605975340 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,16 +1,36 @@ { - "description": "EQL - Delete Volume USN Journal with fsutil", + "description": "Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Delete Volume USN Journal with fsutil", + "name": "Delete Volume USN Journal with fsutil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 8f5b21b74ee6a3..240678d45238cc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,16 +1,36 @@ { - "description": "EQL - Deleting Backup Catalogs with wbadmin", + "description": "Identifies use of the wbadmin command to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Deleting Backup Catalogs with wbadmin", + "name": "Deleting Backup Catalogs with wbadmin", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 56f0b2efec620c..9e5ccc73dc05ee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,16 +1,36 @@ { - "description": "EQL - Direct Outbound SMB Connection", + "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Direct Outbound SMB Connection", + "name": "Direct Outbound SMB Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 50, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "techniques": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 4d1e32eb298978..40a8298561dbd7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,16 +1,36 @@ { - "description": "EQL - Disable Windows Firewall Rules with Netsh", + "description": "Identifies use of the netsh command to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Disable Windows Firewall Rules with Netsh", + "name": "Disable Windows Firewall Rules with Netsh", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", "risk_score": 50, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1089", + "name": "Disabling Security Tools", + "reference": "https://attack.mitre.org/techniques/T1089/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index b9bf463a8e5f22..0ee8674e3304b2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -1,16 +1,51 @@ { - "description": "EQL - DLL Search Order Hijack", + "description": "Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - DLL Search Order Hijack", + "name": "DLL Search Order Hijack", "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", "risk_score": 50, "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "techniques": [ + { + "id": "T1088", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1088/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1088", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1088/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 6b4ffd9cb21e3b..3e912e076adecf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,16 +1,36 @@ { - "description": "EQL - Encoding or Decoding Files via CertUtil", + "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Encoding or Decoding Files via CertUtil", + "name": "Encoding or Decoding Files via CertUtil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", "risk_score": 50, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index f09983d26aff50..304fea1cfbb76c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,16 +1,36 @@ { - "description": "EQL - Local Scheduled Task Commands", + "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Local Scheduled Task Commands", + "name": "Local Scheduled Task Commands", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "techniques": [ + { + "id": "T1053", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index d33a3dbe6de814..7454b0fd452c67 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,16 +1,36 @@ { - "description": "EQL - Local Service Commands", + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Local Service Commands", + "name": "Local Service Commands", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index 39dc2547520737..d4ac29a78c77de 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -1,16 +1,36 @@ { - "description": "EQL - Modification of Boot Configuration", + "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Modification of Boot Configuration", + "name": "Modification of Boot Configuration", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", - "risk_score": 50, + "risk_score": 75, "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", - "severity": "low", + "severity": "high", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index dd8fab2d8ad706..61049bba92cce4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,16 +1,36 @@ { - "description": "EQL - MsBuild Making Network Connections", + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - MsBuild Making Network Connections", + "name": "MsBuild Making Network Connections", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 50, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 8037cc9bcba7f0..f2ed8449b9aafa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,16 +1,39 @@ { - "description": "EQL - Mshta Making Network Connections", + "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Mshta Making Network Connections", + "name": "Mshta Making Network Connections", "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + ], "risk_score": 50, "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1170", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1170/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index 5dd6d5d3042c6d..c86b7515173dc4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -1,16 +1,36 @@ { - "description": "EQL - MsXsl Making Network Connections", + "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - MsXsl Making Network Connections", + "name": "MsXsl Making Network Connections", "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 50, "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index d83f7796cd4d1a..e35843bc9b4136 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,16 +1,19 @@ { - "description": "EQL - PsExec Lateral Movement Command", + "description": "Identifies use of the SysInternals tool PsExec to execute commands on a remote host. This is an indication of lateral movement and may detect adversaries.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - PsExec Lateral Movement Command", + "name": "PsExec Lateral Movement Command", "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", "risk_score": 50, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", + "tags": [ + "EIA" + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 5746541dd879cf..9d3b0361c9d291 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,16 +1,36 @@ { - "description": "EQL - Suspicious MS Office Child Process", + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Suspicious MS Office Child Process", + "name": "Suspicious MS Office Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "risk_score": 50, + "risk_score": 25, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index 88ce75eeef34e8..f445cb187c4287 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,16 +1,36 @@ { - "description": "EQL - Suspicious MS Outlook Child Process", + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Suspicious MS Outlook Child Process", + "name": "Suspicious MS Outlook Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "risk_score": 50, + "risk_score": 25, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 2e3a654127b53e..0b44ebd922c022 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -1,5 +1,5 @@ { - "description": "EQL - Suspicious PDF Reader Child Process", + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "enabled": false, "filters": [], "from": "now-6m", @@ -8,9 +8,29 @@ "language": "kuery", "name": "EQL - Suspicious PDF Reader Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "risk_score": 50, + "risk_score": 75, "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", - "severity": "low", + "severity": "high", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 20080719f3ed3b..687f5c0db2dabf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,16 +1,36 @@ { - "description": "EQL - System Shells via Services", + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - System Shells via Services", + "name": "System Shells via Services", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", "risk_score": 50, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "techniques": [ + { + "id": "T1050", + "name": "New Service", + "reference": "https://attack.mitre.org/techniques/T1050/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 79f8f8e1f606c8..4893f80e8b56c2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,16 +1,36 @@ { - "description": "EQL - Unusual Network Connection via RunDLL32", + "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Unusual Network Connection via RunDLL32", + "name": "Unusual Network Connection via RunDLL32", "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 25, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1085", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1085/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 28cce6ed89f8b0..29e3c998ebe02f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,16 +1,36 @@ { - "description": "EQL - Unusual Parent-Child Relationship ", + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Unusual Parent-Child Relationship ", + "name": "Unusual Parent-Child Relationship ", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", "risk_score": 50, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "techniques": [ + { + "id": "T1093", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1093/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 8b84ec4ff34f48..ce34e4a352c887 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,16 +1,36 @@ { - "description": "EQL - Unusual Process Network Connection", + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Unusual Process Network Connection", + "name": "Unusual Process Network Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", - "risk_score": 50, + "risk_score": 25, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 3af9d9c4277511..5b94babaf8add3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,16 +1,36 @@ { - "description": "EQL - User Account Creation", + "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - User Account Creation", + "name": "User Account Creation", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", "risk_score": 50, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "techniques": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index 226f2dd1e39342..f0b770985c7166 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -1,16 +1,36 @@ { - "description": "EQL - User Added to Administrator Group", + "description": "Identifies attempts to add a user to an administrative group with the \"net.exe\" command. This is sometimes done by attackers to increase access of a compromised account or create new account.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - User Added to Administrator Group", + "name": "User Added to Administrator Group", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", "risk_score": 50, "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", - "severity": "low", + "severity": "medium", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "techniques": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 2b27bce457aff8..8f23d398a48a74 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,16 +1,36 @@ { - "description": "EQL - Volume Shadow Copy Deletion via VssAdmin", + "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Volume Shadow Copy Deletion via VssAdmin", + "name": "Volume Shadow Copy Deletion via VssAdmin", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", - "risk_score": 50, + "risk_score": 75, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "severity": "low", + "severity": "high", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index 4ec4530cc967f7..fc18b2c0f5d70c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,16 +1,36 @@ { - "description": "EQL - Volume Shadow Copy Deletion via WMIC", + "description": "Identifies use of wmic for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Volume Shadow Copy Deletion via WMIC", + "name": "Volume Shadow Copy Deletion via WMIC", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", - "risk_score": 50, + "risk_score": 75, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "severity": "low", + "severity": "high", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "techniques": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index da96eb39e4d96a..ff3d660704eeb7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,16 +1,36 @@ { - "description": "EQL - Windows Script Executing PowerShell", + "description": "Identifies a PowerShell process launched by either CScript or WScript. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - Windows Script Executing PowerShell", + "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", "risk_score": 50, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "techniques": [ + { + "id": "T1193", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1193/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index 3f1c22e2a55d99..5a9bda9e8ddfac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -1,16 +1,36 @@ { - "description": "EQL - WMIC Command Lateral Movement", + "description": "Identifies use of wmic.exe to run commands on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "enabled": false, "filters": [], "from": "now-6m", "immutable": true, "interval": "5m", "language": "kuery", - "name": "EQL - WMIC Command Lateral Movement", + "name": "WMIC Command Lateral Movement", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", - "risk_score": 50, + "risk_score": 25, "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", + "tags": [ + "EIA" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "techniques": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 6ef81addd846ec..a70ff7d13f0eed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -88,228 +88,68 @@ import rule78 from './network_vnc_virtual_network_computing_from_the_internet.js import rule79 from './network_vnc_virtual_network_computing_to_the_internet.json'; import rule80 from './null_user_agent.json'; import rule81 from './sqlmap_user_agent.json'; -import rule82 from './suricata_base64_encoded_invokecommand_powershell_execution.json'; -import rule83 from './suricata_base64_encoded_newobject_powershell_execution.json'; -import rule84 from './suricata_base64_encoded_startprocess_powershell_execution.json'; -import rule85 from './suricata_category_a_suspicious_string_was_detected.json'; -import rule86 from './suricata_category_attempted_administrator_privilege_gain.json'; -import rule87 from './suricata_category_attempted_denial_of_service.json'; -import rule88 from './suricata_category_attempted_information_leak.json'; -import rule89 from './suricata_category_attempted_login_with_suspicious_username.json'; -import rule90 from './suricata_category_attempted_user_privilege_gain.json'; -import rule91 from './suricata_category_client_using_unusual_port.json'; -import rule92 from './suricata_category_crypto_currency_mining_activity.json'; -import rule93 from './suricata_category_decode_of_an_rpc_query.json'; -import rule94 from './suricata_category_default_username_and_password_login_attempt.json'; -import rule95 from './suricata_category_denial_of_service.json'; -import rule96 from './suricata_category_denial_of_service_attack.json'; -import rule97 from './suricata_category_executable_code_was_detected.json'; -import rule98 from './suricata_category_exploit_kit_activity.json'; -import rule99 from './suricata_category_external_ip_address_retrieval.json'; -import rule100 from './suricata_category_generic_icmp_event.json'; -import rule101 from './suricata_category_generic_protocol_command_decode.json'; -import rule102 from './suricata_category_information_leak.json'; -import rule103 from './suricata_category_large_scale_information_leak.json'; -import rule104 from './suricata_category_malware_command_and_control_activity.json'; -import rule105 from './suricata_category_misc_activity.json'; -import rule106 from './suricata_category_misc_attack.json'; -import rule107 from './suricata_category_network_scan_detected.json'; -import rule108 from './suricata_category_network_trojan_detected.json'; -import rule109 from './suricata_category_nonstandard_protocol_or_event.json'; -import rule110 from './suricata_category_not_suspicious_traffic.json'; -import rule111 from './suricata_category_observed_c2_domain.json'; -import rule112 from './suricata_category_possible_social_engineering_attempted.json'; -import rule113 from './suricata_category_possibly_unwanted_program.json'; -import rule114 from './suricata_category_potential_corporate_privacy_violation.json'; -import rule115 from './suricata_category_potentially_bad_traffic.json'; -import rule116 from './suricata_category_potentially_vulnerable_web_application_access.json'; -import rule117 from './suricata_category_successful_administrator_privilege_gain.json'; -import rule118 from './suricata_category_successful_credential_theft.json'; -import rule119 from './suricata_category_successful_user_privilege_gain.json'; -import rule120 from './suricata_category_suspicious_filename_detected.json'; -import rule121 from './suricata_category_system_call_detected.json'; -import rule122 from './suricata_category_targeted_malicious_activity.json'; -import rule123 from './suricata_category_tcp_connection_detected.json'; -import rule124 from './suricata_category_unknown_traffic.json'; -import rule125 from './suricata_category_unsuccessful_user_privilege_gain.json'; -import rule126 from './suricata_category_web_application_attack.json'; -import rule127 from './suricata_cobaltstrike_artifact_in_an_dns_request.json'; -import rule128 from './suricata_commonly_abused_dns_domain_detected.json'; -import rule129 from './suricata_directory_reversal_characters_in_an_http_request.json'; -import rule130 from './suricata_directory_traversal_characters_in_an_http_request.json'; -import rule131 from './suricata_directory_traversal_characters_in_http_response.json'; -import rule132 from './suricata_directory_traversal_in_downloaded_zip_file.json'; -import rule133 from './suricata_dns_traffic_on_unusual_tcp_port.json'; -import rule134 from './suricata_dns_traffic_on_unusual_udp_port.json'; -import rule135 from './suricata_double_encoded_characters_in_a_uri.json'; -import rule136 from './suricata_double_encoded_characters_in_an_http_post.json'; -import rule137 from './suricata_double_encoded_characters_in_http_request.json'; -import rule138 from './suricata_eval_php_function_in_an_http_request.json'; -import rule139 from './suricata_exploit_cve_2018_1000861.json'; -import rule140 from './suricata_exploit_cve_2019_0227.json'; -import rule141 from './suricata_exploit_cve_2019_0232.json'; -import rule142 from './suricata_exploit_cve_2019_0604.json'; -import rule143 from './suricata_exploit_cve_2019_0708.json'; -import rule144 from './suricata_exploit_cve_2019_0752.json'; -import rule145 from './suricata_exploit_cve_2019_1003000.json'; -import rule146 from './suricata_exploit_cve_2019_10149.json'; -import rule147 from './suricata_exploit_cve_2019_11043.json'; -import rule148 from './suricata_exploit_cve_2019_11510.json'; -import rule149 from './suricata_exploit_cve_2019_11580.json'; -import rule150 from './suricata_exploit_cve_2019_11581.json'; -import rule151 from './suricata_exploit_cve_2019_13450.json'; -import rule152 from './suricata_exploit_cve_2019_13505.json'; -import rule153 from './suricata_exploit_cve_2019_15107.json'; -import rule154 from './suricata_exploit_cve_2019_15846.json'; -import rule155 from './suricata_exploit_cve_2019_16072.json'; -import rule156 from './suricata_exploit_cve_2019_1652.json'; -import rule157 from './suricata_exploit_cve_2019_16662.json'; -import rule158 from './suricata_exploit_cve_2019_16759.json'; -import rule159 from './suricata_exploit_cve_2019_16928.json'; -import rule160 from './suricata_exploit_cve_2019_17270.json'; -import rule161 from './suricata_exploit_cve_2019_1821.json'; -import rule162 from './suricata_exploit_cve_2019_19781.json'; -import rule163 from './suricata_exploit_cve_2019_2618.json'; -import rule164 from './suricata_exploit_cve_2019_2725.json'; -import rule165 from './suricata_exploit_cve_2019_3396.json'; -import rule166 from './suricata_exploit_cve_2019_3929.json'; -import rule167 from './suricata_exploit_cve_2019_5533.json'; -import rule168 from './suricata_exploit_cve_2019_6340.json'; -import rule169 from './suricata_exploit_cve_2019_7256.json'; -import rule170 from './suricata_exploit_cve_2019_9978.json'; -import rule171 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json'; -import rule172 from './suricata_http_traffic_on_unusual_port_internet_destination.json'; -import rule173 from './suricata_imap_traffic_on_unusual_port_internet_destination.json'; -import rule174 from './suricata_lazagne_artifact_in_an_http_post.json'; -import rule175 from './suricata_mimikatz_artifacts_in_an_http_post.json'; -import rule176 from './suricata_mimikatz_string_detected_in_http_response.json'; -import rule177 from './suricata_nondns_traffic_on_tcp_port_53.json'; -import rule178 from './suricata_nondns_traffic_on_udp_port_53.json'; -import rule179 from './suricata_nonftp_traffic_on_port_21.json'; -import rule180 from './suricata_nonhttp_traffic_on_tcp_port_80.json'; -import rule181 from './suricata_nonimap_traffic_on_port_1443_imap.json'; -import rule182 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json'; -import rule183 from './suricata_nonssh_traffic_on_port_22.json'; -import rule184 from './suricata_nontls_on_tls_port.json'; -import rule185 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json'; -import rule186 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json'; -import rule187 from './suricata_rpc_traffic_on_http_ports.json'; -import rule188 from './suricata_serialized_php_detected.json'; -import rule189 from './suricata_shell_exec_php_function_in_an_http_post.json'; -import rule190 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json'; -import rule191 from './suricata_tls_traffic_on_unusual_port_internet_destination.json'; -import rule192 from './suricata_windows_executable_served_by_jpeg_web_content.json'; -import rule193 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule194 from './windows_burp_ce_activity.json'; -import rule195 from './windows_certutil_connecting_to_the_internet.json'; -import rule196 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule197 from './windows_command_shell_started_by_internet_explorer.json'; -import rule198 from './windows_command_shell_started_by_powershell.json'; -import rule199 from './windows_command_shell_started_by_svchost.json'; -import rule200 from './windows_credential_dumping_commands.json'; -import rule201 from './windows_credential_dumping_via_imageload.json'; -import rule202 from './windows_credential_dumping_via_registry_save.json'; -import rule203 from './windows_data_compression_using_powershell.json'; -import rule204 from './windows_defense_evasion_decoding_using_certutil.json'; -import rule205 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; -import rule206 from './windows_defense_evasion_via_filter_manager.json'; -import rule207 from './windows_defense_evasion_via_windows_event_log_tools.json'; -import rule208 from './windows_execution_via_compiled_html_file.json'; -import rule209 from './windows_execution_via_connection_manager.json'; -import rule210 from './windows_execution_via_microsoft_html_application_hta.json'; -import rule211 from './windows_execution_via_net_com_assemblies.json'; -import rule212 from './windows_execution_via_regsvr32.json'; -import rule213 from './windows_execution_via_trusted_developer_utilities.json'; -import rule214 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule215 from './windows_image_load_from_a_temp_directory.json'; -import rule216 from './windows_indirect_command_execution.json'; -import rule217 from './windows_iodine_activity.json'; -import rule218 from './windows_management_instrumentation_wmi_execution.json'; -import rule219 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; -import rule220 from './windows_mimikatz_activity.json'; -import rule221 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule222 from './windows_net_command_activity_by_the_system_account.json'; -import rule223 from './windows_net_user_command_activity.json'; -import rule224 from './windows_netcat_activity.json'; -import rule225 from './windows_netcat_network_activity.json'; -import rule226 from './windows_network_anomalous_windows_process_using_https_ports.json'; -import rule227 from './windows_nmap_activity.json'; -import rule228 from './windows_nmap_scan_activity.json'; -import rule229 from './windows_payload_obfuscation_via_certutil.json'; -import rule230 from './windows_persistence_or_priv_escalation_via_hooking.json'; -import rule231 from './windows_persistence_via_application_shimming.json'; -import rule232 from './windows_persistence_via_bits_jobs.json'; -import rule233 from './windows_persistence_via_modification_of_existing_service.json'; -import rule234 from './windows_persistence_via_netshell_helper_dll.json'; -import rule235 from './windows_powershell_connecting_to_the_internet.json'; -import rule236 from './windows_priv_escalation_via_accessibility_features.json'; -import rule237 from './windows_process_discovery_via_tasklist_command.json'; -import rule238 from './windows_process_execution_via_wmi.json'; -import rule239 from './windows_process_started_by_acrobat_reader_possible_payload.json'; -import rule240 from './windows_process_started_by_ms_office_program_possible_payload.json'; -import rule241 from './windows_process_started_by_the_java_runtime.json'; -import rule242 from './windows_psexec_activity.json'; -import rule243 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule244 from './windows_registry_query_local.json'; -import rule245 from './windows_registry_query_network.json'; -import rule246 from './windows_remote_management_execution.json'; -import rule247 from './windows_scheduled_task_activity.json'; -import rule248 from './windows_script_interpreter_connecting_to_the_internet.json'; -import rule249 from './windows_signed_binary_proxy_execution.json'; -import rule250 from './windows_signed_binary_proxy_execution_download.json'; -import rule251 from './windows_suspicious_process_started_by_a_script.json'; -import rule252 from './windows_whoami_command_activity.json'; -import rule253 from './windows_windump_activity.json'; -import rule254 from './windows_wireshark_activity.json'; -import rule255 from './zeek_notice_capturelosstoo_much_loss.json'; -import rule256 from './zeek_notice_conncontent_gap.json'; -import rule257 from './zeek_notice_connretransmission_inconsistency.json'; -import rule258 from './zeek_notice_dnsexternal_name.json'; -import rule259 from './zeek_notice_ftpbruteforcing.json'; -import rule260 from './zeek_notice_ftpsite_exec_success.json'; -import rule261 from './zeek_notice_heartbleedssl_heartbeat_attack.json'; -import rule262 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json'; -import rule263 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json'; -import rule264 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json'; -import rule265 from './zeek_notice_httpsql_injection_attacker.json'; -import rule266 from './zeek_notice_httpsql_injection_victim.json'; -import rule267 from './zeek_notice_intelnotice.json'; -import rule268 from './zeek_notice_noticetally.json'; -import rule269 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json'; -import rule270 from './zeek_notice_packetfiltercompile_failure.json'; -import rule271 from './zeek_notice_packetfilterdropped_packets.json'; -import rule272 from './zeek_notice_packetfilterinstall_failure.json'; -import rule273 from './zeek_notice_packetfilterno_more_conn_shunts_available.json'; -import rule274 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json'; -import rule275 from './zeek_notice_protocoldetectorprotocol_found.json'; -import rule276 from './zeek_notice_protocoldetectorserver_found.json'; -import rule277 from './zeek_notice_scanaddress_scan.json'; -import rule278 from './zeek_notice_scanport_scan.json'; -import rule279 from './zeek_notice_signaturescount_signature.json'; -import rule280 from './zeek_notice_signaturesmultiple_sig_responders.json'; -import rule281 from './zeek_notice_signaturesmultiple_signatures.json'; -import rule282 from './zeek_notice_signaturessensitive_signature.json'; -import rule283 from './zeek_notice_signaturessignature_summary.json'; -import rule284 from './zeek_notice_smtpblocklist_blocked_host.json'; -import rule285 from './zeek_notice_smtpblocklist_error_message.json'; -import rule286 from './zeek_notice_smtpsuspicious_origination.json'; -import rule287 from './zeek_notice_softwaresoftware_version_change.json'; -import rule288 from './zeek_notice_softwarevulnerable_version.json'; -import rule289 from './zeek_notice_sshinteresting_hostname_login.json'; -import rule290 from './zeek_notice_sshlogin_by_password_guesser.json'; -import rule291 from './zeek_notice_sshpassword_guessing.json'; -import rule292 from './zeek_notice_sshwatched_country_login.json'; -import rule293 from './zeek_notice_sslcertificate_expired.json'; -import rule294 from './zeek_notice_sslcertificate_expires_soon.json'; -import rule295 from './zeek_notice_sslcertificate_not_valid_yet.json'; -import rule296 from './zeek_notice_sslinvalid_ocsp_response.json'; -import rule297 from './zeek_notice_sslinvalid_server_cert.json'; -import rule298 from './zeek_notice_sslold_version.json'; -import rule299 from './zeek_notice_sslweak_cipher.json'; -import rule300 from './zeek_notice_sslweak_key.json'; -import rule301 from './zeek_notice_teamcymrumalwarehashregistrymatch.json'; -import rule302 from './zeek_notice_traceroutedetected.json'; -import rule303 from './zeek_notice_weirdactivity.json'; +import rule82 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule83 from './windows_burp_ce_activity.json'; +import rule84 from './windows_certutil_connecting_to_the_internet.json'; +import rule85 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule86 from './windows_command_shell_started_by_internet_explorer.json'; +import rule87 from './windows_command_shell_started_by_powershell.json'; +import rule88 from './windows_command_shell_started_by_svchost.json'; +import rule89 from './windows_credential_dumping_commands.json'; +import rule90 from './windows_credential_dumping_via_imageload.json'; +import rule91 from './windows_credential_dumping_via_registry_save.json'; +import rule92 from './windows_data_compression_using_powershell.json'; +import rule93 from './windows_defense_evasion_decoding_using_certutil.json'; +import rule94 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; +import rule95 from './windows_defense_evasion_via_filter_manager.json'; +import rule96 from './windows_defense_evasion_via_windows_event_log_tools.json'; +import rule97 from './windows_execution_via_compiled_html_file.json'; +import rule98 from './windows_execution_via_connection_manager.json'; +import rule99 from './windows_execution_via_microsoft_html_application_hta.json'; +import rule100 from './windows_execution_via_net_com_assemblies.json'; +import rule101 from './windows_execution_via_regsvr32.json'; +import rule102 from './windows_execution_via_trusted_developer_utilities.json'; +import rule103 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule104 from './windows_image_load_from_a_temp_directory.json'; +import rule105 from './windows_indirect_command_execution.json'; +import rule106 from './windows_iodine_activity.json'; +import rule107 from './windows_management_instrumentation_wmi_execution.json'; +import rule108 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; +import rule109 from './windows_mimikatz_activity.json'; +import rule110 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule111 from './windows_net_command_activity_by_the_system_account.json'; +import rule112 from './windows_net_user_command_activity.json'; +import rule113 from './windows_netcat_activity.json'; +import rule114 from './windows_netcat_network_activity.json'; +import rule115 from './windows_network_anomalous_windows_process_using_https_ports.json'; +import rule116 from './windows_nmap_activity.json'; +import rule117 from './windows_nmap_scan_activity.json'; +import rule118 from './windows_payload_obfuscation_via_certutil.json'; +import rule119 from './windows_persistence_or_priv_escalation_via_hooking.json'; +import rule120 from './windows_persistence_via_application_shimming.json'; +import rule121 from './windows_persistence_via_bits_jobs.json'; +import rule122 from './windows_persistence_via_modification_of_existing_service.json'; +import rule123 from './windows_persistence_via_netshell_helper_dll.json'; +import rule124 from './windows_powershell_connecting_to_the_internet.json'; +import rule125 from './windows_priv_escalation_via_accessibility_features.json'; +import rule126 from './windows_process_discovery_via_tasklist_command.json'; +import rule127 from './windows_process_execution_via_wmi.json'; +import rule128 from './windows_process_started_by_acrobat_reader_possible_payload.json'; +import rule129 from './windows_process_started_by_ms_office_program_possible_payload.json'; +import rule130 from './windows_process_started_by_the_java_runtime.json'; +import rule131 from './windows_psexec_activity.json'; +import rule132 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule133 from './windows_registry_query_local.json'; +import rule134 from './windows_registry_query_network.json'; +import rule135 from './windows_remote_management_execution.json'; +import rule136 from './windows_scheduled_task_activity.json'; +import rule137 from './windows_script_interpreter_connecting_to_the_internet.json'; +import rule138 from './windows_signed_binary_proxy_execution.json'; +import rule139 from './windows_signed_binary_proxy_execution_download.json'; +import rule140 from './windows_suspicious_process_started_by_a_script.json'; +import rule141 from './windows_whoami_command_activity.json'; +import rule142 from './windows_windump_activity.json'; +import rule143 from './windows_wireshark_activity.json'; export const rawRules = [ rule1, rule2, @@ -454,164 +294,4 @@ export const rawRules = [ rule141, rule142, rule143, - rule144, - rule145, - rule146, - rule147, - rule148, - rule149, - rule150, - rule151, - rule152, - rule153, - rule154, - rule155, - rule156, - rule157, - rule158, - rule159, - rule160, - rule161, - rule162, - rule163, - rule164, - rule165, - rule166, - rule167, - rule168, - rule169, - rule170, - rule171, - rule172, - rule173, - rule174, - rule175, - rule176, - rule177, - rule178, - rule179, - rule180, - rule181, - rule182, - rule183, - rule184, - rule185, - rule186, - rule187, - rule188, - rule189, - rule190, - rule191, - rule192, - rule193, - rule194, - rule195, - rule196, - rule197, - rule198, - rule199, - rule200, - rule201, - rule202, - rule203, - rule204, - rule205, - rule206, - rule207, - rule208, - rule209, - rule210, - rule211, - rule212, - rule213, - rule214, - rule215, - rule216, - rule217, - rule218, - rule219, - rule220, - rule221, - rule222, - rule223, - rule224, - rule225, - rule226, - rule227, - rule228, - rule229, - rule230, - rule231, - rule232, - rule233, - rule234, - rule235, - rule236, - rule237, - rule238, - rule239, - rule240, - rule241, - rule242, - rule243, - rule244, - rule245, - rule246, - rule247, - rule248, - rule249, - rule250, - rule251, - rule252, - rule253, - rule254, - rule255, - rule256, - rule257, - rule258, - rule259, - rule260, - rule261, - rule262, - rule263, - rule264, - rule265, - rule266, - rule267, - rule268, - rule269, - rule270, - rule271, - rule272, - rule273, - rule274, - rule275, - rule276, - rule277, - rule278, - rule279, - rule280, - rule281, - rule282, - rule283, - rule284, - rule285, - rule286, - rule287, - rule288, - rule289, - rule290, - rule291, - rule292, - rule293, - rule294, - rule295, - rule296, - rule297, - rule298, - rule299, - rule300, - rule301, - rule302, - rule303, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 90864f1ab8ab9f..d6887f7928dd80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,15 +1,46 @@ { - "description": "Linux: Kernel Module Activity", + "description": "Identifies loadable kernel module errors, often indicative of potential persistence attempts.", "enabled": false, + "false_positives": [ + "Security tools and device drivers may load legitimate kernel modules." + ], "from": "now-6m", "immutable": true, + "index": [ + "auditbeat-*" + ], "interval": "5m", "language": "kuery", - "name": "Linux: Kernel Module Activity", + "max_signals": 33, + "name": "Persistence via Kernel Module Modification", "query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed", - "risk_score": 50, + "references": [ + "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" + ], + "risk_score": 25, "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", + "tags": [ + "EIA", + "auditbeat" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/techniques/TA0003/" + }, + "techniques": [ + { + "id": "T1215", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1215/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index d9d409feae4735..945c8acfe00e45 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,15 +1,26 @@ { - "description": "Linux: Process Started in Temp Directory", + "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", "enabled": false, + "false_positives": [ + "Build systems like Jenkins may start processes in the /tmp directory." + ], "from": "now-6m", "immutable": true, + "index": [ + "auditbeat-*" + ], "interval": "5m", "language": "kuery", - "name": "Linux: Process Started in Temp Directory", + "max_signals": 33, + "name": "Unusual Process Execution - Temp", "query": "process.working_directory: /tmp and event.action:executed", - "risk_score": 50, + "risk_score": 25, "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", "severity": "low", + "tags": [ + "EIA", + "auditbeat" + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index d533f5d4ec3f64..e8c5942ec5100f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -1,16 +1,47 @@ { - "description": "Linux: Shell Activity By Web Server", + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "enabled": false, + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], "filters": [], "from": "now-6m", "immutable": true, + "index": [ + "auditbeat-*" + ], "interval": "5m", "language": "kuery", + "max_signals": 33, "name": "Linux: Shell Activity By Web Server", "query": "process.name: bash and (user.name: apache or www) and event.action:executed", + "references": [ + "https://pentestlab.blog/tag/web-shell/" + ], "risk_score": 50, "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "severity": "low", + "tags": [ + "EIA", + "auditbeat" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/techniques/TA0003/" + }, + "techniques": [ + { + "id": "T1100", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1215/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 56a2782eb0cca0..c57e21334b4f76 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,15 +1,43 @@ { - "description": "Linux: Whoami Commmand", + "description": "The 'whoami' command was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privlieged access.", "enabled": false, + "false_positives": [ + "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." + ], "from": "now-6m", "immutable": true, + "index": [ + "auditbeat-*" + ], "interval": "5m", "language": "kuery", - "name": "Linux: Whoami Commmand", + "max_signals": 33, + "name": "Linux: User Discovery Via The Whoami Commmand", "query": "process.name: whoami and event.action:executed", "risk_score": 50, "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", "severity": "low", + "tags": [ + "EIA", + "auditbeat" + ], + "threats": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "techniques": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], "to": "now", "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json deleted file mode 100644 index 05d54f6bdb4c63..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_invokecommand_powershell_execution.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Suricata Base64 Encoded Invoke-Command Powershell Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Base64 Encoded Invoke-Command Powershell Execution", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187) or rule.id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187))", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L179-L184", - "This group of signatures detect base-64 encoded variations of the 'Invoke-Command' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." - ], - "risk_score": 50, - "rule_id": "6ff01a30-95dd-471c-b61d-0fd9ee2d0a20", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "command and control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "techniques": [ - { - "id": "T1001", - "name": "data obfuscation", - "reference": "https://attack.mitre.org/techniques/T1001/" - }, - { - "id": "T1132", - "name": "data encoding", - "reference": "https://attack.mitre.org/techniques/T1132/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json deleted file mode 100644 index ac47a6877c5250..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_newobject_powershell_execution.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Suricata Base64 Encoded New-Object Powershell Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Base64 Encoded New-Object Powershell Execution", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193) or rule.id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193))", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L191-L196", - "This group of signatures detect base-64 encoded variations of the 'New-Object' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." - ], - "risk_score": 50, - "rule_id": "d14d5401-0f7a-4933-b816-1b8f823e3d84", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "command and control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "techniques": [ - { - "id": "T1001", - "name": "data obfuscation", - "reference": "https://attack.mitre.org/techniques/T1001/" - }, - { - "id": "T1132", - "name": "data encoding", - "reference": "https://attack.mitre.org/techniques/T1132/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json deleted file mode 100644 index 972299bbd74b04..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_base64_encoded_startprocess_powershell_execution.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "Suricata Base64 Encoded Start-Process Powershell Execution", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Base64 Encoded Start-Process Powershell Execution", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199) or rule.id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199))", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L191-L196", - "This group of signatures detect base-64 encoded variations of the 'Start-Process' Powershell cmdlet. This is not something you should see on a typical network and could indicate a possible command and control channel." - ], - "risk_score": 50, - "rule_id": "372dce88-003d-4bcf-8c95-34ea8be180a1", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "command and control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "techniques": [ - { - "id": "T1001", - "name": "data obfuscation", - "reference": "https://attack.mitre.org/techniques/T1001/" - }, - { - "id": "T1132", - "name": "data encoding", - "reference": "https://attack.mitre.org/techniques/T1132/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json deleted file mode 100644 index bb6a57f905bf7d..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_a_suspicious_string_was_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - A suspicious string was detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - A suspicious string was detected", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious string was detected\" or rule.category: \"A suspicious string was detected\")", - "risk_score": 50, - "rule_id": "2a3d91c1-5065-46ab-bed0-93f80835b1d5", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json deleted file mode 100644 index 9de1f5ad33712e..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_administrator_privilege_gain.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Attempted Administrator Privilege Gain", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Attempted Administrator Privilege Gain", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Administrator Privilege Gain\" or rule.category: \"Attempted Administrator Privilege Gain\")", - "risk_score": 50, - "rule_id": "f840129e-9089-4f46-8af1-0745e8f54713", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json deleted file mode 100644 index d0c3eb9ba2331c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_denial_of_service.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Attempted Denial of Service", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Attempted Denial of Service", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Denial of Service\" or rule.category: \"Attempted Denial of Service\")", - "risk_score": 50, - "rule_id": "a62927f4-2488-4679-b56f-cda1a7f4c9e1", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json deleted file mode 100644 index 75995d657b4640..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_information_leak.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Attempted Information Leak", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Attempted Information Leak", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted Information Leak\" or rule.category: \"Attempted Information Leak\")", - "risk_score": 50, - "rule_id": "88d69362-f496-41d6-8e6b-a2dbaed3513f", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json deleted file mode 100644 index 31d14a3b687089..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_login_with_suspicious_username.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Attempted Login with Suspicious Username", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Attempted Login with Suspicious Username", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"An attempted login using a suspicious username was detected\" or rule.category: \"An attempted login using a suspicious username was detected\")", - "risk_score": 50, - "rule_id": "a84cd36c-dd5a-4e86-a2ce-44556c21cef0", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json deleted file mode 100644 index 13300e8a17694d..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_attempted_user_privilege_gain.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Attempted User Privilege Gain", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Attempted User Privilege Gain", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempted User Privilege Gain\" or rule.category: \"Attempted User Privilege Gain\")", - "risk_score": 50, - "rule_id": "eabce895-4602-4d20-8bf9-11c903bb3e08", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json deleted file mode 100644 index 9c1e3ef1b39f8e..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_client_using_unusual_port.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Client Using Unusual Port", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Client Using Unusual Port", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A client was using an unusual port\" or rule.category: \"A client was using an unusual port\")", - "risk_score": 50, - "rule_id": "00503a3c-304c-421c-bfea-e5d8fdfd9726", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json deleted file mode 100644 index a4ef732c2e1bd5..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_crypto_currency_mining_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Crypto Currency Mining Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Crypto Currency Mining Activity", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Crypto Currency Mining Activity Detected\" or rule.category: \"Crypto Currency Mining Activity Detected\")", - "risk_score": 50, - "rule_id": "74cd4920-a441-41d2-8a23-5bee70626e60", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json deleted file mode 100644 index 43f767f14b7e6c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_decode_of_an_rpc_query.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Decode of an RPC Query", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Decode of an RPC Query", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Decode of an RPC Query\" or rule.category: \"Decode of an RPC Query\")", - "risk_score": 50, - "rule_id": "e9fc5bd3-c8a1-442c-be6d-032da07c508b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json deleted file mode 100644 index 74a566563f15a3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_default_username_and_password_login_attempt.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Default Username and Password Login Attempt", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Default Username and Password Login Attempt", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Attempt to login by a default username and password\" or rule.category: \"Attempt to login by a default username and password\")", - "risk_score": 50, - "rule_id": "190bd112-f831-4813-98b2-e45a934277c2", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json deleted file mode 100644 index d7a615807593e6..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Denial of Service", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Denial of Service", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Denial of Service\" or rule.category: \"Denial of Service\")", - "risk_score": 75, - "rule_id": "0e97e390-84db-4725-965a-a8b0b600f7be", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json deleted file mode 100644 index e0bf4220d4467f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_denial_of_service_attack.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Denial of Service Attack", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Denial of Service Attack", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Denial of Service Attack\" or rule.category: \"Detection of a Denial of Service Attack\")", - "risk_score": 100, - "rule_id": "42a60eaa-fd20-479b-b6ca-bdb88d47b34b", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json deleted file mode 100644 index 09a72e761cb409..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_executable_code_was_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Executable code was detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Executable code was detected", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Executable code was detected\" or rule.category: \"Executable code was detected\")", - "risk_score": 50, - "rule_id": "4699296b-5127-475a-9d83-8434fcd18136", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json deleted file mode 100644 index 8c8f5565da4e64..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_exploit_kit_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Exploit Kit Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Exploit Kit Activity", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Exploit Kit Activity Detected\" or rule.category: \"Exploit Kit Activity Detected\")", - "risk_score": 50, - "rule_id": "b3111af8-79bf-4ec3-97ae-28d9ed9fbd38", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json deleted file mode 100644 index 39c42d81ee59d5..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_external_ip_address_retrieval.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - External IP Address Retrieval", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - External IP Address Retrieval", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Device Retrieving External IP Address Detected\" or rule.category: \"Device Retrieving External IP Address Detected\")", - "risk_score": 50, - "rule_id": "c7df9ecf-d6be-4ef8-9871-cb317dfff0b4", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json deleted file mode 100644 index e4d15f667371f9..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_icmp_event.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Generic ICMP event", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Generic ICMP event", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic ICMP event\" or rule.category: \"Generic ICMP event\")", - "risk_score": 25, - "rule_id": "3309bffa-7c43-409a-acea-6631c1b077e5", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json deleted file mode 100644 index faaccc5eee9926..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_generic_protocol_command_decode.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Generic Protocol Command Decode", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Generic Protocol Command Decode", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Generic Protocol Command Decode\" or rule.category: \"Generic Protocol Command Decode\")", - "risk_score": 25, - "rule_id": "6fd2deb4-a7a9-4221-8b7b-8d26836a8c30", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json deleted file mode 100644 index c58b4a5f4b13a3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_information_leak.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Information Leak", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Information Leak", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Information Leak\" or rule.category: \"Information Leak\")", - "risk_score": 25, - "rule_id": "95df8ff4-7169-4c84-ae50-3561b1d1bc91", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json deleted file mode 100644 index b1916165c6e903..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_large_scale_information_leak.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Large Scale Information Leak", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Large Scale Information Leak", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Large Scale Information Leak\" or rule.category: \"Large Scale Information Leak\")", - "risk_score": 75, - "rule_id": "ca98de30-c703-4170-97ae-ab2b340f6080", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json deleted file mode 100644 index 4682f973bdfc93..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_malware_command_and_control_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Malware Command and Control Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Malware Command and Control Activity", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Malware Command and Control Activity Detected\" or rule.category: \"Malware Command and Control Activity Detected\")", - "risk_score": 100, - "rule_id": "56656341-2940-4a69-b8fe-acf3c734f540", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json deleted file mode 100644 index 49928bd4caaa53..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Misc Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Misc Activity", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc activity\" or rule.category: \"Misc activity\")", - "risk_score": 25, - "rule_id": "403ddbde-a486-4dd7-b932-cee4ebef88b6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json deleted file mode 100644 index 34c9059d264981..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_misc_attack.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Misc Attack", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Misc Attack", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Misc Attack\" or rule.category: \"Misc Attack\")", - "risk_score": 50, - "rule_id": "83277123-749f-49da-ad3d-d59f35490db1", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json deleted file mode 100644 index 9bc0572e257795..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_scan_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Network Scan Detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Network Scan Detected", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a Network Scan\" or rule.category: \"Detection of a Network Scan\")", - "risk_score": 25, - "rule_id": "7e969b45-d005-4173-aee7-a7aaa79bc372", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json deleted file mode 100644 index b319d5d2be079b..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_network_trojan_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Network Trojan Detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Network Trojan Detected", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A Network Trojan was detected\" or rule.category: \"A Network Trojan was detected\")", - "risk_score": 100, - "rule_id": "76ffa464-ec03-42e1-87ee-87760c331061", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json deleted file mode 100644 index c104b1d2acc450..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_nonstandard_protocol_or_event.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Non-Standard Protocol or Event", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Non-Standard Protocol or Event", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Detection of a non-standard protocol or event\" or rule.category: \"Detection of a non-standard protocol or event\")", - "risk_score": 50, - "rule_id": "82f9f485-873b-4eeb-b231-052ab81e05b8", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json deleted file mode 100644 index 4ff46e429c4c3a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_not_suspicious_traffic.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Not Suspicious Traffic", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Not Suspicious Traffic", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Not Suspicious Traffic\" or rule.category: \"Not Suspicious Traffic\")", - "risk_score": 25, - "rule_id": "c0f684ff-4f15-44e7-912d-aa8b8f08a910", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json deleted file mode 100644 index 6b06e23648cbdb..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_observed_c2_domain.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Observed C2 Domain", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Observed C2 Domain", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Domain Observed Used for C2 Detected\" or rule.category: \"Domain Observed Used for C2 Detected\")", - "risk_score": 75, - "rule_id": "8adfa89f-aa90-4d26-9d7a-7da652cae902", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json deleted file mode 100644 index 7c4f096280ed47..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possible_social_engineering_attempted.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Possible Social Engineering Attempted", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Possible Social Engineering Attempted", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possible Social Engineering Attempted\" or rule.category: \"Possible Social Engineering Attempted\")", - "risk_score": 50, - "rule_id": "7d2d5a5f-f590-407d-933a-42adb1a7bcef", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json deleted file mode 100644 index 7e5f92c15e4141..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_possibly_unwanted_program.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Possibly Unwanted Program", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Possibly Unwanted Program", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Possibly Unwanted Program Detected\" or rule.category: \"Possibly Unwanted Program Detected\")", - "risk_score": 25, - "rule_id": "1b9a31e8-fdfa-400e-aa4e-79a7f1a1da18", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json deleted file mode 100644 index 221cfaab48e004..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potential_corporate_privacy_violation.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Potential Corporate Privacy Violation", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Potential Corporate Privacy Violation", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potential Corporate Privacy Violation\" or rule.category: \"Potential Corporate Privacy Violation\")", - "risk_score": 25, - "rule_id": "1c70f5d5-eae0-4d00-b35a-d34ca607094e", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json deleted file mode 100644 index fc1baf20147577..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_bad_traffic.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Potentially Bad Traffic", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Potentially Bad Traffic", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Potentially Bad Traffic\" or rule.category: \"Potentially Bad Traffic\")", - "risk_score": 25, - "rule_id": "197cdd5a-9880-4780-a87c-594d0ed2b7b4", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json deleted file mode 100644 index cfcb246d44f4d1..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_potentially_vulnerable_web_application_access.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Potentially Vulnerable Web Application Access", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Potentially Vulnerable Web Application Access", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"access to a potentially vulnerable web application\" or rule.category: \"access to a potentially vulnerable web application\")", - "risk_score": 75, - "rule_id": "0993e926-1a01-4c28-918a-cdd5741a19a8", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json deleted file mode 100644 index 919083650682c9..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_administrator_privilege_gain.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Successful Administrator Privilege Gain", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Successful Administrator Privilege Gain", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Administrator Privilege Gain\" or rule.category: \"Successful Administrator Privilege Gain\")", - "risk_score": 75, - "rule_id": "f068e655-1f52-4d81-839a-9c08c6543ceb", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json deleted file mode 100644 index feb708316fbd8a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_credential_theft.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Successful Credential Theft", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Successful Credential Theft", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful Credential Theft Detected\" or rule.category: \"Successful Credential Theft Detected\")", - "risk_score": 75, - "rule_id": "90f3e735-2187-4e8e-8d28-6e3249964851", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json deleted file mode 100644 index 8a7e366d25e585..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_successful_user_privilege_gain.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Successful User Privilege Gain", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Successful User Privilege Gain", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Successful User Privilege Gain\" or rule.category: \"Successful User Privilege Gain\")", - "risk_score": 50, - "rule_id": "f8ebd022-6e92-4b80-ac49-7ee011ba2ce0", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json deleted file mode 100644 index 356c0d23dd4e9c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_suspicious_filename_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Suspicious Filename Detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Suspicious Filename Detected", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A suspicious filename was detected\" or rule.category: \"A suspicious filename was detected\")", - "risk_score": 25, - "rule_id": "d0489b07-8140-4e3d-a2b7-52f2c06fdc7c", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json deleted file mode 100644 index f41692fb218412..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_system_call_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - System Call Detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - System Call Detected", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A system call was detected\" or rule.category: \"A system call was detected\")", - "risk_score": 50, - "rule_id": "44a5c55a-a34f-43c3-8f21-df502862aa9b", - "severity": "medium", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json deleted file mode 100644 index 9c13b53f43263d..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_targeted_malicious_activity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Targeted Malicious Activity", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Targeted Malicious Activity", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Targeted Malicious Activity was Detected\" or rule.category: \"Targeted Malicious Activity was Detected\")", - "risk_score": 75, - "rule_id": "d299379d-41de-4640-96b6-77aaa9adfa6f", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json deleted file mode 100644 index eb41269d58ffa1..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_tcp_connection_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - TCP Connection Detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - TCP Connection Detected", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"A TCP connection was detected\" or rule.category: \"A TCP connection was detected\")", - "risk_score": 0, - "rule_id": "ddf402cf-307d-4f46-a25d-dce3aee1ad13", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json deleted file mode 100644 index a260d049633b98..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unknown_traffic.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Unknown Traffic", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Unknown Traffic", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unknown Traffic\" or rule.category: \"Unknown Traffic\")", - "risk_score": 25, - "rule_id": "827ea90c-00c2-45f7-b873-dd060297b2d2", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json deleted file mode 100644 index c57cc857cef676..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_unsuccessful_user_privilege_gain.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Unsuccessful User Privilege Gain", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Unsuccessful User Privilege Gain", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Unsuccessful User Privilege Gain\" or rule.category: \"Unsuccessful User Privilege Gain\")", - "risk_score": 50, - "rule_id": "85471d30-78c9-48f6-b2db-ab5b2547e450", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json deleted file mode 100644 index 4014473971b8ef..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_category_web_application_attack.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Category - Web Application Attack", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Category - Web Application Attack", - "query": "event.module: suricata and event.kind: alert and (suricata.eve.alert.category: \"Web Application Attack\" or rule.category: \"Web Application Attack\")", - "risk_score": 75, - "rule_id": "e856918b-f26e-4893-84b9-3deb65046fb7", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json deleted file mode 100644 index e77e977d780d5e..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_cobaltstrike_artifact_in_an_dns_request.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata CobaltStrike Artifact in an DNS Request", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata CobaltStrike Artifact in an DNS Request", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610166 or 2610167 or 2610168) or rule.id: (2610166 or 2610167 or 2610168))", - "risk_score": 100, - "rule_id": "481ef0f5-beda-4fa2-8bfb-039c95500deb", - "severity": "high", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json deleted file mode 100644 index a866c79a858224..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_commonly_abused_dns_domain_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Commonly Abused DNS Domain Detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Commonly Abused DNS Domain Detected", - "query": " event.module:suricata and event.kind:alert and (suricata.eve.alert.signature:(TGI* and *HUNT* and *Abused* and *TLD*) or rule.description:(TGI* and *HUNT* and *Abused* and *TLD*))", - "risk_score": 25, - "rule_id": "1844dfe1-b05e-4ca6-b367-6b9e3a1fe227", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json deleted file mode 100644 index 862d5417fadcc4..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_reversal_characters_in_an_http_request.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Directory Reversal Characters in an HTTP Request", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Directory Reversal Characters in an HTTP Request", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610161 or 2610162)", - "risk_score": 50, - "rule_id": "c0ca8090-60f8-4458-befe-c43687b648a3", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json deleted file mode 100644 index 73cb913e271a16..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_an_http_request.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Suricata Directory Traversal Characters in an HTTP Request Header", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Directory Traversal Characters in an HTTP Request Header", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610161 or 2610162) or rule.id: (2610161 or 2610162))", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L179-L184", - "This group of signatures detects directory traversal characters in a header of an HTTP request. This is not something you should see on a typical network and could indicate an attempt to exploit the web application." - ], - "risk_score": 50, - "rule_id": "7c663c8d-cdfd-4605-9dd6-d682fa4ade8c", - "severity": "medium", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json deleted file mode 100644 index c9d0db8ed300ee..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_characters_in_http_response.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Suricata Directory Traversal Characters in HTTP Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Directory Traversal Characters in HTTP Response", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610086 or rule.id:2610086)", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L89", - "This group of signatures detects directory traversal characters in a header of an HTTP response. This is not something you should see on a typical network and could indicate an attempt to exploit the web application." - ], - "risk_score": 75, - "rule_id": "a6406974-ea70-45b5-b5d8-ca17695adbde", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json deleted file mode 100644 index 65f8195751fc52..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_directory_traversal_in_downloaded_zip_file.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Suricata Directory Traversal in Downloaded Zip File", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Directory Traversal in Downloaded Zip File", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610085 or rule.id:2610085)", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L88", - "This group of signatures detects directory traversal characters in a zip archive downloaded over the network. This is not something you should see on a typical network and could indicate an attempt to trick a user to overwrite system files." - ], - "risk_score": 75, - "rule_id": "d5d990bc-303c-4241-8138-6ba3cf2ee93e", - "severity": "medium", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "techniques": [ - { - "id": "T1204", - "name": "user execution", - "reference": "https://attack.mitre.org/techniques/T1204/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json deleted file mode 100644 index bd73b822f9f495..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_tcp_port.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Suricata DNS Traffic on Unusual Port (TCP or UDP)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata DNS Traffic on Unusual Port", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610015 or 2610013) or rule.id: (2610015 or 2610013))", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules#L14-L16", - "This detects DNS traffic running on an unusual port. This could indicate an application that is misconfigured or attempting to bypass security controls." - ], - "risk_score": 50, - "rule_id": "deeae336-4ff7-4cf8-ae5b-18bce05da02e", - "severity": "low", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "command and control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "techniques": [ - { - "id": "T1065", - "name": "uncommonly used port", - "reference": "https://attack.mitre.org/techniques/T1065/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json deleted file mode 100644 index eb9b06f3cab145..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_dns_traffic_on_unusual_udp_port.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata DNS Traffic on Unusual UDP Port", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata DNS Traffic on Unusual UDP Port", - "query": "suricata.eve.alert.signature_id:2610015 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "2343d9a4-365b-45b2-acb0-76934d43c75b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json deleted file mode 100644 index eaed3aabed8f24..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_a_uri.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Double Encoded Characters in a URI", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Double Encoded Characters in a URI", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610092 or 2610093 or 2610094 or 2610095)", - "risk_score": 50, - "rule_id": "1ed4d2d1-330c-4c7d-b32d-2d8805437946", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json deleted file mode 100644 index 136ea957be766e..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_an_http_post.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Double Encoded Characters in an HTTP POST", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Double Encoded Characters in an HTTP POST", - "query": "suricata.eve.alert.signature_id:2610090 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "a839a360-94ae-4219-b1cc-458d836333a7", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json deleted file mode 100644 index 3cbdb6da3c141f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_double_encoded_characters_in_http_request.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Suricata Double Encoded Characters in a URI", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Double Encoded Characters in a URI", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2610090 or 2610092 or 2610093 or 2610094 or 2610095) or rule.id: (2610090 or 2610092 or 2610093 or 2610094 or 2610095))", - "references": [ - "https://github.com/travisbgreen/hunting-rules/blob/master/hunting.rules", - "This group of signatures detects double encoding of characters in an HTTP request. This is not something you should see on a typical network and could indicate an attempt to exploit the web application or bypass detections." - ], - "risk_score": 25, - "rule_id": "8aedfe6f-9219-463b-808b-91e7ea8ea5e8", - "severity": "low", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json deleted file mode 100644 index 986ac161d70df1..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_eval_php_function_in_an_http_request.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata eval PHP Function in an HTTP Request", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata eval PHP Function in an HTTP Request", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id:2610088 or rule.id: 2610088)", - "risk_score": 50, - "rule_id": "8c77b4ed-4e98-438b-adb0-d645d4a4ea26", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json deleted file mode 100644 index 54b881428aa34c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2018_1000861.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027349 or 2027350) or rule.id: (2027349 or 2027350))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2018-1000861"], - "risk_score": 100, - "rule_id": "ada41f8a-92b1-49d0-80ac-c4bc28824ab5", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json deleted file mode 100644 index c050b73114bf52..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0227.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004698) or rule.id: (10004698))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0227"], - "risk_score": 100, - "rule_id": "2c8f321c-ba84-4c16-80dd-f20ea06e0c6d", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json deleted file mode 100644 index 9522a286f7898c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0232.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004953) or rule.id: (10004953))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0232"], - "risk_score": 100, - "rule_id": "fd7ef9a2-f010-49c1-8e08-31d84a9607dd", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json deleted file mode 100644 index 95940a5396b943..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0604.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027096) or rule.id: (2027096))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0604"], - "risk_score": 100, - "rule_id": "ec50104d-26b1-45a6-b80e-768bd13cc34c", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json deleted file mode 100644 index 401e1e815ea521..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0708.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004867 or 2027369) or rule.id: (10004867 or 2027369))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0708"], - "risk_score": 100, - "rule_id": "1589bff6-ec82-4acf-8f67-68ef0f3676d0", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json deleted file mode 100644 index 5f256681aedd9f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_0752.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027721) or rule.id: (2027721))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-0752"], - "risk_score": 100, - "rule_id": "5aa5f6db-2cc7-43de-ac8b-c7daa52ba9c3", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json deleted file mode 100644 index c470783b0266d3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1003000.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027349 or 2027350 or 2027346) or rule.id: (2027349 or 2027350 or 2027346))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1003000"], - "risk_score": 100, - "rule_id": "6deba829-00ac-4298-bc80-976e4ef215d2", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json deleted file mode 100644 index 2c18ecc3104fd2..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_10149.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027442) or rule.id: (2027442))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-10149"], - "risk_score": 100, - "rule_id": "e52d833a-0642-4076-89e9-6b7263361cee", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json deleted file mode 100644 index 0e2c8cfa7339d2..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11043.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028895) or rule.id: (2028895))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11043"], - "risk_score": 100, - "rule_id": "7955c692-1259-4f77-aa9e-95a98b69d4aa", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json deleted file mode 100644 index 65a6874f09932a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11510.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027904) or rule.id: (2027904))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11510"], - "risk_score": 100, - "rule_id": "d2dbbfee-2104-4d20-b562-d466b0b2c5ef", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json deleted file mode 100644 index 6e3e8bc8cdbb72..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11580.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027712) or rule.id: (2027712))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11580"], - "risk_score": 100, - "rule_id": "f6e6c803-b44c-44b1-acbb-cd3e5bca10f8", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json deleted file mode 100644 index 34b93871fa10b6..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_11581.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027711) or rule.id: (2027711))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-11581"], - "risk_score": 100, - "rule_id": "720663fb-23da-43a5-bf4f-907265e5426d", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json deleted file mode 100644 index ae014db82194eb..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13450.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027696) or rule.id: (2027696))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-13450"], - "risk_score": 100, - "rule_id": "04a9d926-51bb-4981-8116-04ee63f1ad75", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json deleted file mode 100644 index 5a70886a844699..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_13505.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027706) or rule.id: (2027706))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-13505"], - "risk_score": 100, - "rule_id": "7b47f6a7-ae2a-46a1-a718-641649dfbfd6", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json deleted file mode 100644 index cbede3be1782bf..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15107.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SERVER Webmin RCE CVE-2019-15107", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SERVER Webmin RCE CVE-2019-15107", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027896) or rule.id: (2027896))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-15107"], - "risk_score": 100, - "rule_id": "37f923c4-048d-4a17-b804-b4f895477962", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json deleted file mode 100644 index 99ac06aa715aab..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_15846.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027959 or 2027960) or rule.id: (2027959 or 2027960))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-15846"], - "risk_score": 100, - "rule_id": "1d625e03-a21b-40c8-82c0-edb497a48254", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json deleted file mode 100644 index 0fe9cde7307e8c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16072.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029159 or 2029158) or rule.id: (2029159 or 2029158))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16072"], - "risk_score": 100, - "rule_id": "5cf97dad-2327-4010-8498-64e5d53fd317", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json deleted file mode 100644 index 254c6019a039d3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1652.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2026860) or rule.id: (2026860))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1652"], - "risk_score": 100, - "rule_id": "ed220bf3-6617-41c3-8a03-8726d17e3dfc", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json deleted file mode 100644 index d804e7dc181739..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16662.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028933) or rule.id: (2028933))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16662"], - "risk_score": 100, - "rule_id": "777097d9-059e-409f-9509-67d7f90aea8c", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json deleted file mode 100644 index 7ceebbe31c0ea2..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16759.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028621 or 2028625 or 2028826) or rule.id: (2028621 or 2028625 or 2028826))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16759"], - "risk_score": 100, - "rule_id": "145634a6-6d3d-4e78-bd51-ffe6f69f6bbb", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json deleted file mode 100644 index 2c970e3248a642..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_16928.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028636) or rule.id: (2028636))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-16928"], - "risk_score": 100, - "rule_id": "39bb4ff1-ec7c-4379-9a07-ad24b83060bf", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json deleted file mode 100644 index 2ed70492f52cad..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_17270.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029153 or 2029152) or rule.id: (2029153 or 2029152))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-17270"], - "risk_score": 100, - "rule_id": "e6f42ad9-c024-46de-99d8-492d780cdd5e", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json deleted file mode 100644 index 9c84f3042e86ce..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_1821.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027368) or rule.id: (2027368))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-1821"], - "risk_score": 100, - "rule_id": "5aed0105-a86a-4502-9a8b-169ee24b0c7f", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json deleted file mode 100644 index 2ee5d4bff1cbe5..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_19781.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029206 or 2029255) or rule.id: (2029206 or 2029255))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-19781"], - "risk_score": 100, - "rule_id": "6fde4e79-bf78-4173-b395-73377e289a73", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json deleted file mode 100644 index 7ca97786945ff1..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2618.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004781) or rule.id: (10004781))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-2618"], - "risk_score": 100, - "rule_id": "7ba6a778-647c-4506-8314-8206cf31f513", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json deleted file mode 100644 index 66a7c63c9b3735..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_2725.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004779 or 10004927) or rule.id: (10004779 or 10004927))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-2725"], - "risk_score": 100, - "rule_id": "f7879284-38e9-40d4-a471-6e1b38fd5a9f", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json deleted file mode 100644 index b4a0f0284665dd..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3396.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004699 or 2027333) or rule.id: (10004699 or 2027333))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-3396"], - "risk_score": 100, - "rule_id": "d51ce0e4-31fa-4ffb-a1a6-7f9fa386ea52", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json deleted file mode 100644 index ae6e48baa0fa6a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_3929.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027451 or 2027450) or rule.id: (2027451 or 2027450))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-3929"], - "risk_score": 100, - "rule_id": "0a6fefd6-22dd-4c78-aba8-e949b04360b4", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json deleted file mode 100644 index 42d9793336ae36..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_5533.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2028928) or rule.id: (2028928))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-5533"], - "risk_score": 100, - "rule_id": "65012760-1f26-47a3-b2d3-a685d638483f", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json deleted file mode 100644 index cd55b6be262dcb..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_6340.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (10004555) or rule.id: (10004555))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-6340"], - "risk_score": 100, - "rule_id": "4b2b4879-45c6-4721-b058-143f07aa474f", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json deleted file mode 100644 index e8cfcb0cfc7916..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_7256.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2029207) or rule.id: (2029207))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-7256"], - "risk_score": 100, - "rule_id": "8ef47e09-39f5-494a-82b7-3aca4310ea96", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json deleted file mode 100644 index 0537004ae4b2d5..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_exploit_cve_2019_9978.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978", - "query": "event.module:suricata and event.kind:alert and (suricata.eve.alert.signature_id: (2027315) or rule.id: (2027315))", - "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-9978"], - "risk_score": 100, - "rule_id": "6b185518-b84a-44b7-843c-01c95b5a2a83", - "severity": "high", - "threats": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "initial access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "techniques": [ - { - "id": "T1190", - "name": "exploit public-facing application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json deleted file mode 100644 index 8c36a7052a720a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ftp_traffic_on_unusual_port_internet_destination.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata FTP Traffic on Unusual Port, Internet Destination", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata FTP Traffic on Unusual Port, Internet Destination", - "query": "suricata.eve.alert.signature_id:2610005 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "b1adc850-0fe3-4dac-94d3-6f240071f83a", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json deleted file mode 100644 index 72228ce1215755..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_http_traffic_on_unusual_port_internet_destination.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata HTTP Traffic On Unusual Port, Internet Destination", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata HTTP Traffic On Unusual Port, Internet Destination", - "query": " suricata.eve.alert.signature_id:2610001 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "43795909-913c-419d-8355-7f2880694bec", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json deleted file mode 100644 index 1f06fbb0a337db..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_imap_traffic_on_unusual_port_internet_destination.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata IMAP Traffic on Unusual Port, internet Destination", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata IMAP Traffic on Unusual Port, internet Destination", - "query": "suricata.eve.alert.signature_id:2610009 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "738ee70b-7d0f-438f-98ac-a393df58c58f", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json deleted file mode 100644 index 9c2d818b88c5d3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_lazagne_artifact_in_an_http_post.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata LaZagne Artifact in an HTTP POST", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata LaZagne Artifact in an HTTP POST", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610149 or 2610150)", - "risk_score": 50, - "rule_id": "c6e6f16f-66de-43d5-8ab7-599af536dedf", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json deleted file mode 100644 index 0cbf4092bfa31d..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_artifacts_in_an_http_post.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Mimikatz Artifacts in an HTTP POST", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Mimikatz Artifacts in an HTTP POST", - "query": "suricata.eve.alert.signature_id:2610155 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "1b62e8af-c10d-4708-9a74-118cb1c9ed8a", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json deleted file mode 100644 index 730aaa63ab07db..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_mimikatz_string_detected_in_http_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Mimikatz String Detected in HTTP Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Mimikatz String Detected in HTTP Response", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610144 or 2610145 or 2610146 or 2610147 or 2610148)", - "risk_score": 50, - "rule_id": "2b365d3a-11a3-4bec-9698-b36c908f46ff", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json deleted file mode 100644 index 96f180fee09902..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_tcp_port_53.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-DNS Traffic on TCP Port 53", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-DNS Traffic on TCP Port 53", - "query": "suricata.eve.alert.signature_id:2610014 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "67c7d28e-8be4-49ae-9c89-5c328ea245dc", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json deleted file mode 100644 index 95458f14b0b2c6..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nondns_traffic_on_udp_port_53.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-DNS Traffic on UDP Port 53", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-DNS Traffic on UDP Port 53", - "query": "suricata.eve.alert.signature_id:2610016 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "ba6dea7f-ba98-4a86-b570-d05d85472e79", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json deleted file mode 100644 index 42bcc2fa1bca19..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonftp_traffic_on_port_21.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-FTP Traffic on Port 21", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-FTP Traffic on Port 21", - "query": "suricata.eve.alert.signature_id:2610006 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "ee2b07ec-94dd-48b2-b46b-7bef47cc43fc", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json deleted file mode 100644 index af681646e8224f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonhttp_traffic_on_tcp_port_80.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-HTTP Traffic on TCP Port 80", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-HTTP Traffic on TCP Port 80", - "query": "suricata.eve.alert.signature_id:2610002 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "70f9bd9f-accc-4da8-8674-38992096ddba", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json deleted file mode 100644 index 548b35165028c3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonimap_traffic_on_port_1443_imap.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-IMAP Traffic on Port 1443 (IMAP)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-IMAP Traffic on Port 1443 (IMAP)", - "query": "suricata.eve.alert.signature_id:2610010 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "241b6a1d-4f73-4b68-bd98-22e909681930", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json deleted file mode 100644 index a7e57103c633d9..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonsmb_traffic_on_tcp_port_139_smb.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-SMB Traffic on TCP Port 139 (SMB)", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-SMB Traffic on TCP Port 139 (SMB)", - "query": "suricata.eve.alert.signature_id:2610011 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "c259ab53-4b1a-42f6-b204-fe057c521515", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json deleted file mode 100644 index 3e07bd7a97cb85..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nonssh_traffic_on_port_22.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-SSH Traffic on Port 22", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-SSH Traffic on Port 22", - "query": "suricata.eve.alert.signature_id:2610008 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "256e9e8b-8366-4f23-8cbe-c9eb5ba25633", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json deleted file mode 100644 index 16dc9f46f0e32e..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_nontls_on_tls_port.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata non-TLS on TLS Port", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata non-TLS on TLS Port", - "query": "suricata.eve.alert.signature_id:2610004 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "b060c87f-af49-40eb-acee-561a1f1331aa", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json deleted file mode 100644 index e8bc59f1b5268a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_cobalt_strike_malleable_c2_null_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Possible Cobalt Strike Malleable C2 Null Response", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Possible Cobalt Strike Malleable C2 Null Response", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610202 or 2610203)", - "risk_score": 50, - "rule_id": "6099a760-7293-4e26-8aa8-b984abb32ac6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json deleted file mode 100644 index 8b208e5586726a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_possible_sql_injection_sql_commands_in_http_transactions.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Possible SQL Injection - SQL Commands in HTTP Transactions", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Possible SQL Injection - SQL Commands in HTTP Transactions", - "query": "(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610117 or 2610118 or 2610118 or 2610119 or 2610121 or 2610122 or 2610123)", - "risk_score": 50, - "rule_id": "cdfbcd5e-1d8e-47e6-b3f2-b09bce780640", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json deleted file mode 100644 index fe3d500b42d3e9..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_rpc_traffic_on_http_ports.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata RPC Traffic on HTTP Ports", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata RPC Traffic on HTTP Ports", - "query": "suricata.eve.alert.signature_id:2610012 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "87e77fb6-b555-43be-adc5-f57c6aaf7cd0", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json deleted file mode 100644 index a59cc42fa4557f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_serialized_php_detected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Serialized PHP Detected", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Serialized PHP Detected", - "query": "suricata.eve.alert.signature_id:2610091 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "3baa5b65-d11e-40fb-a9b4-6b2a6a062d48", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json deleted file mode 100644 index e4fd0e866e7cf9..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_shell_exec_php_function_in_an_http_post.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata shell_exec PHP Function in an HTTP POST", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata shell_exec PHP Function in an HTTP POST", - "query": "suricata.eve.alert.signature_id:2610087 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "082fca48-4707-485a-aedb-340ee77e0687", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json deleted file mode 100644 index a22c3a4fdfdd40..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_ssh_traffic_not_on_port_22_internet_destination.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata SSH Traffic Not on Port 22, Internet Destination", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata SSH Traffic Not on Port 22, Internet Destination", - "query": "suricata.eve.alert.signature_id:2610007 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "82265eef-1212-4c4f-af04-f977a3060592", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json deleted file mode 100644 index 23f1f79bc42487..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_tls_traffic_on_unusual_port_internet_destination.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata TLS Traffic on Unusual Port, Internet Destination", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata TLS Traffic on Unusual Port, Internet Destination", - "query": "suricata.eve.alert.signature_id:2610003 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "6c1db8ba-db4b-4513-a0e3-b3c857ba8b05", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json deleted file mode 100644 index 9717beac902e5f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suricata_windows_executable_served_by_jpeg_web_content.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Suricata Windows Executable Served by JPEG Web Content", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Suricata Windows Executable Served by JPEG Web Content", - "query": "suricata.eve.alert.signature_id:2610084 and (event.module:suricata and event.kind:alert)", - "risk_score": 50, - "rule_id": "f7f038f4-b97a-4d0c-b3b6-d5fa1ad15951", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json deleted file mode 100644 index 87549a455c1d3e..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Detected Zeek capture loss exceeds the percentage threshold", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice CaptureLoss::Too_Much_Loss", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"CaptureLoss::Too_Much_Loss\" or rule.name: \"CaptureLoss::Too_Much_Loss\")", - "risk_score": 50, - "rule_id": "c115a407-799b-45d6-962e-a639bb764c06", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json deleted file mode 100644 index 69a82f9840a931..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Data has sequence hole; perhaps due to filtering.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Conn::Content_Gap", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Content_Gap\" or rule.name: \"Conn::Content_Gap\")", - "risk_score": 50, - "rule_id": "22d12b64-33f4-40ce-ad57-49dd870bc8e5", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json deleted file mode 100644 index c5ba4eb8082aaf..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Possible evasion; usually just chud.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Conn::Retransmission_Inconsistency", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Retransmission_Inconsistency\" or rule.name: \"Conn::Retransmission_Inconsistency\")", - "risk_score": 50, - "rule_id": "53719624-55f0-4541-8370-f27f6766fb9e", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json deleted file mode 100644 index cb5db1529aa0ec..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Raised when a non-local name is found to be pointing at a local host.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice DNS::External_Name", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"DNS::External_Name\" or rule.name: \"DNS::External_Name\")", - "risk_score": 50, - "rule_id": "39c40c5a-110c-45b1-876f-969212e8814b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json deleted file mode 100644 index 43bc1f05a2212f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice FTP::Bruteforcing", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Bruteforcing\" or rule.name: \"FTP::Bruteforcing\")", - "risk_score": 50, - "rule_id": "7e069475-817e-4e89-9245-1dfaa3083b11", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json deleted file mode 100644 index 63b8b847563b57..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice FTP::Site_Exec_Success", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Site_Exec_Success\" or rule.name: \"FTP::Site_Exec_Success\")", - "risk_score": 50, - "rule_id": "4b9cb3e9-e26a-4bd2-bd1f-8d451b49838f", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json deleted file mode 100644 index adc8878f6986aa..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a host performed a heartbleed attack or scan.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack\")", - "risk_score": 50, - "rule_id": "68a33102-3680-4581-a48a-210b23925905", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json deleted file mode 100644 index 3f03e5483cc315..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a host performing a heartbleed attack was probably successful.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack_Success", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack_Success\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack_Success\")", - "risk_score": 50, - "rule_id": "241a61ae-b385-4f36-96c4-b2fb5446cc43", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json deleted file mode 100644 index 2902c4a4b8e5fe..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates we saw many heartbeat requests without a reply. Might be an attack.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Many_Requests", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Many_Requests\" or rule.name: \"Heartbleed::SSL_Heartbeat_Many_Requests\")", - "risk_score": 50, - "rule_id": "59d6a32c-753e-4c19-bb77-1befdc6e0e6a", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json deleted file mode 100644 index 871999b842609a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates we saw heartbeat requests with odd length. Probably an attack or scan.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Odd_Length", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Odd_Length\" or rule.name: \"Heartbleed::SSL_Heartbeat_Odd_Length\")", - "risk_score": 50, - "rule_id": "0c6e7be4-6cab-4ee1-ad51-7c1ffd0e9002", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json deleted file mode 100644 index fe6bcb8a881003..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a host performing SQL injection attacks was detected.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice HTTP::SQL_Injection_Attacker", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Attacker\" or rule.name: \"HTTP::SQL_Injection_Attacker\")", - "risk_score": 50, - "rule_id": "4ca9ef93-7e7e-40a4-8d71-9130204d86e6", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json deleted file mode 100644 index ed1f5bbaa13b2a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice HTTP::SQL_Injection_Victim", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Victim\" or rule.name: \"HTTP::SQL_Injection_Victim\")", - "risk_score": 50, - "rule_id": "dda43d7f-69bc-487f-b05c-2b518e9db622", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json deleted file mode 100644 index 615f3b48276567..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "This notice is generated when an intelligence indicator is denoted to be notice-worthy.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Intel::Notice", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Intel::Notice\" or rule.name: \"Intel::Notice\")", - "risk_score": 50, - "rule_id": "122e153a-78f3-4e7e-a5b5-cfe0b917f109", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json deleted file mode 100644 index cbe9fd654c4f80..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Zeek notice reporting a count of how often a notice occurred.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Notice::Tally", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Notice::Tally\" or rule.name: \"Notice::Tally\")", - "risk_score": 50, - "rule_id": "7581fd81-25e8-489e-bcf3-69db068b7a6c", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json deleted file mode 100644 index 2d35d42eb07a1d..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Limitations in BPF make shunting some connections with BPF impossible. This notice encompasses those various cases.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice PacketFilter::Cannot_BPF_Shunt_Conn", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Cannot_BPF_Shunt_Conn\" or rule.name: \"PacketFilter::Cannot_BPF_Shunt_Conn\")", - "risk_score": 50, - "rule_id": "0031d83e-1fb4-4dd6-b938-97ae7044b051", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json deleted file mode 100644 index 4013b77fe6e4ce..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "This notice is generated if a packet filter cannot be compiled.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice PacketFilter::Compile_Failure", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Compile_Failure\" or rule.name: \"PacketFilter::Compile_Failure\")", - "risk_score": 50, - "rule_id": "335b2ddc-f806-46e8-8ffa-114d613aac92", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json deleted file mode 100644 index 21229e4055f480..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates packets were dropped by the packet filter.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice PacketFilter::Dropped_Packets", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Dropped_Packets\" or rule.name: \"PacketFilter::Dropped_Packets\")", - "risk_score": 50, - "rule_id": "4f212278-329b-4088-ae59-9091003dff22", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json deleted file mode 100644 index 6f6ff30f99b570..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Generated if a packet filter fails to install.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice PacketFilter::Install_Failure", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Install_Failure\" or rule.name: \"PacketFilter::Install_Failure\")", - "risk_score": 50, - "rule_id": "235988ec-d037-4f5f-a211-74106512b36d", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json deleted file mode 100644 index 0785959078bb71..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicative that PacketFilter::max_bpf_shunts connections are already being shunted with BPF filters and no more are allowed.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice PacketFilter::No_More_Conn_Shunts_Available", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::No_More_Conn_Shunts_Available\" or rule.name: \"PacketFilter::No_More_Conn_Shunts_Available\")", - "risk_score": 50, - "rule_id": "de4016de-3374-41a0-a678-21d36c70af9a", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json deleted file mode 100644 index e8dbcaaeec43e0..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Generated when a notice takes too long to compile.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice PacketFilter::Too_Long_To_Compile_Filter", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Too_Long_To_Compile_Filter\" or rule.name: \"PacketFilter::Too_Long_To_Compile_Filter\")", - "risk_score": 50, - "rule_id": "71e93c42-7990-4233-a8a5-2631193df7db", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json deleted file mode 100644 index 0caf01e3823c9b..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates a protocol was detected on a non-standard port.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice ProtocolDetector::Protocol_Found", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Protocol_Found\" or rule.name: \"ProtocolDetector::Protocol_Found\")", - "risk_score": 50, - "rule_id": "777586b6-4757-489e-a6e8-676b7df70b39", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json deleted file mode 100644 index 196c9dc7241c8c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates a server was detected on a non-standard port for the protocol.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice ProtocolDetector::Server_Found", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Server_Found\" or rule.name: \"ProtocolDetector::Server_Found\")", - "risk_score": 50, - "rule_id": "7d7f7635-6900-4f63-b14b-477a909ea90a", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json deleted file mode 100644 index 34c8a126e424c0..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanaddress_scan.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Address scans detect that a host appears to be scanning some number of destinations on a single port.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Scan::Address_Scan", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Address_Scan\" or rule.name: \"Scan::Address_Scan\")", - "risk_score": 50, - "rule_id": "9d320fca-4ec1-4511-bdbc-7edf9673c07d", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json deleted file mode 100644 index 1334f2c08ad09f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_scanport_scan.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Port scans detect that an attacking host appears to be scanning a single victim host on several ports.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Scan::Port_Scan", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Scan::Port_Scan\" or rule.name: \"Scan::Port_Scan\")", - "risk_score": 50, - "rule_id": "d09fbf7a-47a7-4130-8dd7-b386cca81a42", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json deleted file mode 100644 index 1dc25388dc688f..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturescount_signature.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "The same signature has triggered multiple times for a host.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Signatures::Count_Signature", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Count_Signature\" or rule.name: \"Signatures::Count_Signature\")", - "risk_score": 50, - "rule_id": "a704589c-8ba9-4a3c-8e39-ab9360cade17", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json deleted file mode 100644 index 06cf39c1c3dbdd..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_sig_responders.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Host has triggered the same signature on multiple hosts.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Signatures::Multiple_Sig_Responders", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Sig_Responders\" or rule.name: \"Signatures::Multiple_Sig_Responders\")", - "risk_score": 50, - "rule_id": "4f313ae8-cbc6-4082-9599-526f8ccb7303", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json deleted file mode 100644 index 350e6dfc30e187..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturesmultiple_signatures.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Host has triggered many signatures on the same host.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Signatures::Multiple_Signatures", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Multiple_Signatures\" or rule.name: \"Signatures::Multiple_Signatures\")", - "risk_score": 50, - "rule_id": "ab90d81c-79e1-4f62-a61e-484c4bedb2b0", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json deleted file mode 100644 index c1438edf2e4acf..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessensitive_signature.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Generic notice type for notice-worthy signature matches.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Signatures::Sensitive_Signature", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Sensitive_Signature\" or rule.name: \"Signatures::Sensitive_Signature\")", - "risk_score": 50, - "rule_id": "ac394dec-67e8-417f-bb06-ae0bd75556b0", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json deleted file mode 100644 index 7fd878ceb6c7f8..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_signaturessignature_summary.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Summarize the number of times a host triggered a signature.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Signatures::Signature_Summary", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Signatures::Signature_Summary\" or rule.name: \"Signatures::Signature_Summary\")", - "risk_score": 50, - "rule_id": "d17fe857-eb67-4843-ab63-bf4852e49396", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json deleted file mode 100644 index 1e2579dfd1b4ec..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_blocked_host.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "The originator’s address is seen in the block list error message. This is useful to detect local hosts sending SPAM with a high positive rate.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SMTP::Blocklist_Blocked_Host", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Blocked_Host\" or rule.name: \"SMTP::Blocklist_Blocked_Host\")", - "risk_score": 50, - "rule_id": "402d5f78-82cd-4320-8b69-3185e44daf07", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json deleted file mode 100644 index ae4794bd5481f4..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpblocklist_error_message.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "An SMTP server sent a reply mentioning an SMTP block list.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SMTP::Blocklist_Error_Message", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Blocklist_Error_Message\" or rule.name: \"SMTP::Blocklist_Error_Message\")", - "risk_score": 50, - "rule_id": "b9bb4a93-8c5c-4942-9193-e2dc97230034", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json deleted file mode 100644 index ed871f4aa68986..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_smtpsuspicious_origination.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "SMTP message orignated from country or network configured to be suspicious.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SMTP::Suspicious_Origination", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SMTP::Suspicious_Origination\" or rule.name: \"SMTP::Suspicious_Origination\")", - "risk_score": 50, - "rule_id": "cc6e9fef-d936-4faf-8936-e576c089d8b2", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json deleted file mode 100644 index 5a5cd3f48245f9..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwaresoftware_version_change.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that an interesting software application changed versions on a host.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Software::Software_Version_Change", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Software_Version_Change\" or rule.name: \"Software::Software_Version_Change\")", - "risk_score": 50, - "rule_id": "ea1d2c1b-ecfe-42a5-bd0b-56c7a1bd8075", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json deleted file mode 100644 index 8addd5ed395624..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_softwarevulnerable_version.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a vulnerable version of software was detected.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Software::Vulnerable_Version", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Software::Vulnerable_Version\" or rule.name: \"Software::Vulnerable_Version\")", - "risk_score": 50, - "rule_id": "97b4d80c-7671-4301-85a6-954aa0ba96ce", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json deleted file mode 100644 index f69ab099bf6d98..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshinteresting_hostname_login.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Generated if a login originates or responds with a host where the reverse hostname lookup resolves to a name matched by the SSH::interesting_hostnames regular expression.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSH::Interesting_Hostname_Login", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Interesting_Hostname_Login\" or rule.name: \"SSH::Interesting_Hostname_Login\")", - "risk_score": 50, - "rule_id": "6a7f2b0a-3f24-4d58-aa84-243f1f0556d9", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json deleted file mode 100644 index 3b12aae2f4dd8a..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshlogin_by_password_guesser.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a host previously identified as a \"password guesser\" has now had a successful login attempt.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSH::Login_By_Password_Guesser", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Login_By_Password_Guesser\" or rule.name: \"SSH::Login_By_Password_Guesser\")", - "risk_score": 50, - "rule_id": "5600ad95-2244-43db-8a7d-77eea95f80db", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json deleted file mode 100644 index 4fd7e8ec15ed70..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshpassword_guessing.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a host has been identified as crossing the SSH::password_guesses_limit threshold with failed logins.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSH::Password_Guessing", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Password_Guessing\" or rule.name: \"SSH::Password_Guessing\")", - "risk_score": 50, - "rule_id": "e278142a-4ee7-4443-9b1f-421174b0dabf", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json deleted file mode 100644 index ecd57510441ae0..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sshwatched_country_login.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "SSH login was seen to or from a \"watched\" country based on the SSH::watched_countries variable", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSH::Watched_Country_Login", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSH::Watched_Country_Login\" or rule.name: \"SSH::Watched_Country_Login\")", - "risk_score": 50, - "rule_id": "983f4b7e-38cd-4d7f-8be6-40447431561e", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json deleted file mode 100644 index 0309896ed31eea..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expired.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a certificate’s NotValidAfter date has lapsed and the certificate is now invalid.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Certificate_Expired", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expired\" or rule.name: \"SSL::Certificate_Expired\")", - "risk_score": 50, - "rule_id": "3981f48e-49a5-4a3e-9b44-900a0887526c", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json deleted file mode 100644 index 8f76bdab1a7ea3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_expires_soon.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a certificate is going to expire within SSL::notify_when_cert_expiring_in.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Certificate_Expires_Soon", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Expires_Soon\" or rule.name: \"SSL::Certificate_Expires_Soon\")", - "risk_score": 50, - "rule_id": "e8207172-3478-4b2c-85b7-6f13d97fff43", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json deleted file mode 100644 index 785ba45744022c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslcertificate_not_valid_yet.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a certificate’s NotValidBefore date is future dated.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Certificate_Not_Valid_Yet", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Certificate_Not_Valid_Yet\" or rule.name: \"SSL::Certificate_Not_Valid_Yet\")", - "risk_score": 50, - "rule_id": "45586490-99f6-4e11-8228-2229d727a3b4", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json deleted file mode 100644 index 3704a1be0cd269..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_ocsp_response.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "This indicates that the OCSP response was not deemed to be valid.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Invalid_Ocsp_Response", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Ocsp_Response\" or rule.name: \"SSL::Invalid_Ocsp_Response\")", - "risk_score": 50, - "rule_id": "eb17fcbb-de22-4aa0-81aa-1c059bdd4f2b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json deleted file mode 100644 index c068a3ecf0d82c..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslinvalid_server_cert.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "This notice indicates that the result of validating the certificate along with its full certificate chain was invalid.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Invalid_Server_Cert", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Invalid_Server_Cert\" or rule.name: \"SSL::Invalid_Server_Cert\")", - "risk_score": 50, - "rule_id": "13f51fe0-fc74-4c45-90f3-6fb1cd26ec66", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json deleted file mode 100644 index 8d180115eadeac..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslold_version.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a server is using a potentially unsafe version", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Old_Version", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Old_Version\" or rule.name: \"SSL::Old_Version\")", - "risk_score": 50, - "rule_id": "260b680e-c3d6-4c03-90cd-03c86e9f8ec1", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json deleted file mode 100644 index 602445d1463fe3..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_cipher.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a server is using a potentially unsafe cipher", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Weak_Cipher", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Cipher\" or rule.name: \"SSL::Weak_Cipher\")", - "risk_score": 50, - "rule_id": "25886074-6ae1-41c0-8546-e8cf55ed1b4b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json deleted file mode 100644 index b88752e9b8c945..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_sslweak_key.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a server is using a potentially unsafe key.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice SSL::Weak_Key", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"SSL::Weak_Key\" or rule.name: \"SSL::Weak_Key\")", - "risk_score": 50, - "rule_id": "e020f504-c0e5-4768-8e1f-1e2ec7bac961", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json deleted file mode 100644 index 8a36b974dc4fc6..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_teamcymrumalwarehashregistrymatch.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "The hash value of a file transferred over HTTP matched in the malware hash registry.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice TeamCymruMalwareHashRegistry::Match", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"TeamCymruMalwareHashRegistry::Match\" or rule.name: \"TeamCymruMalwareHashRegistry::Match\")", - "risk_score": 50, - "rule_id": "a130a0ba-b083-4630-b0ea-cceb80d7720b", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json deleted file mode 100644 index ec05000118f35d..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_traceroutedetected.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Indicates that a host was seen running traceroutes.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Traceroute::Detected", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Traceroute::Detected\" or rule.name: \"Traceroute::Detected\")", - "risk_score": 50, - "rule_id": "aeefe077-f05d-44a7-b757-272fc51c334c", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json deleted file mode 100644 index dcc5dfcf124ca0..00000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_weirdactivity.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "Generic unusual but notice-worthy weird activity.", - "enabled": false, - "filters": [], - "from": "now-6m", - "immutable": true, - "interval": "5m", - "language": "kuery", - "name": "Zeek Notice Weird::Activity", - "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Weird::Activity\" or rule.name: \"Weird::Activity\")", - "risk_score": 50, - "rule_id": "d5ad39d0-8421-4f79-ad93-8ddbf7f553b3", - "severity": "low", - "to": "now", - "type": "query", - "version": 1 -}