[SIEM][Detection Engine] More updates with more rules (#53728)

## Summary

* Adds more rules from detection groups

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios
~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_capturelosstoo_much_loss.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "c115a407-799b-45d6-962e-a639bb764c06",
+  "risk_score": 50,
+  "description": "Detected Zeek capture loss exceeds the percentage threshold",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice CaptureLoss::Too_Much_Loss",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"CaptureLoss::Too_Much_Loss\" or rule.name: \"CaptureLoss::Too_Much_Loss\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_conncontent_gap.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "22d12b64-33f4-40ce-ad57-49dd870bc8e5",
+  "risk_score": 50,
+  "description": "Data has sequence hole; perhaps due to filtering.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Conn::Content_Gap",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Content_Gap\" or rule.name: \"Conn::Content_Gap\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_connretransmission_inconsistency.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "53719624-55f0-4541-8370-f27f6766fb9e",
+  "risk_score": 50,
+  "description": "Possible evasion; usually just chud.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Conn::Retransmission_Inconsistency",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Conn::Retransmission_Inconsistency\" or rule.name: \"Conn::Retransmission_Inconsistency\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_dnsexternal_name.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "39c40c5a-110c-45b1-876f-969212e8814b",
+  "risk_score": 50,
+  "description": "Raised when a non-local name is found to be pointing at a local host.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice DNS::External_Name",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"DNS::External_Name\" or rule.name: \"DNS::External_Name\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpbruteforcing.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "7e069475-817e-4e89-9245-1dfaa3083b11",
+  "risk_score": 50,
+  "description": "Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice FTP::Bruteforcing",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Bruteforcing\" or rule.name: \"FTP::Bruteforcing\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_ftpsite_exec_success.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4b9cb3e9-e26a-4bd2-bd1f-8d451b49838f",
+  "risk_score": 50,
+  "description": "Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice FTP::Site_Exec_Success",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"FTP::Site_Exec_Success\" or rule.name: \"FTP::Site_Exec_Success\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "68a33102-3680-4581-a48a-210b23925905",
+  "risk_score": 50,
+  "description": "Indicates that a host performed a heartbleed attack or scan.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_attack_success.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "241a61ae-b385-4f36-96c4-b2fb5446cc43",
+  "risk_score": 50,
+  "description": "Indicates that a host performing a heartbleed attack was probably successful.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Attack_Success",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Attack_Success\" or rule.name: \"Heartbleed::SSL_Heartbeat_Attack_Success\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_many_requests.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "59d6a32c-753e-4c19-bb77-1befdc6e0e6a",
+  "risk_score": 50,
+  "description": "Indicates we saw many heartbeat requests without a reply. Might be an attack.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Many_Requests",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Many_Requests\" or rule.name: \"Heartbleed::SSL_Heartbeat_Many_Requests\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_heartbleedssl_heartbeat_odd_length.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "0c6e7be4-6cab-4ee1-ad51-7c1ffd0e9002",
+  "risk_score": 50,
+  "description": "Indicates we saw heartbeat requests with odd length. Probably an attack or scan.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Heartbleed::SSL_Heartbeat_Odd_Length",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Heartbleed::SSL_Heartbeat_Odd_Length\" or rule.name: \"Heartbleed::SSL_Heartbeat_Odd_Length\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_attacker.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4ca9ef93-7e7e-40a4-8d71-9130204d86e6",
+  "risk_score": 50,
+  "description": "Indicates that a host performing SQL injection attacks was detected.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice HTTP::SQL_Injection_Attacker",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Attacker\" or rule.name: \"HTTP::SQL_Injection_Attacker\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_httpsql_injection_victim.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "dda43d7f-69bc-487f-b05c-2b518e9db622",
+  "risk_score": 50,
+  "description": "Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice HTTP::SQL_Injection_Victim",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"HTTP::SQL_Injection_Victim\" or rule.name: \"HTTP::SQL_Injection_Victim\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_intelnotice.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "122e153a-78f3-4e7e-a5b5-cfe0b917f109",
+  "risk_score": 50,
+  "description": "This notice is generated when an intelligence indicator is denoted to be notice-worthy.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Intel::Notice",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Intel::Notice\" or rule.name: \"Intel::Notice\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_noticetally.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "7581fd81-25e8-489e-bcf3-69db068b7a6c",
+  "risk_score": 50,
+  "description": "Zeek notice reporting a count of how often a notice occurred.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice Notice::Tally",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"Notice::Tally\" or rule.name: \"Notice::Tally\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercannot_bpf_shunt_conn.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "0031d83e-1fb4-4dd6-b938-97ae7044b051",
+  "risk_score": 50,
+  "description": "Limitations in BPF make shunting some connections with BPF impossible. This notice encompasses those various cases.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice PacketFilter::Cannot_BPF_Shunt_Conn",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Cannot_BPF_Shunt_Conn\" or rule.name: \"PacketFilter::Cannot_BPF_Shunt_Conn\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltercompile_failure.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "335b2ddc-f806-46e8-8ffa-114d613aac92",
+  "risk_score": 50,
+  "description": "This notice is generated if a packet filter cannot be compiled.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice PacketFilter::Compile_Failure",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Compile_Failure\" or rule.name: \"PacketFilter::Compile_Failure\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterdropped_packets.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "4f212278-329b-4088-ae59-9091003dff22",
+  "risk_score": 50,
+  "description": "Indicates packets were dropped by the packet filter.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice PacketFilter::Dropped_Packets",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Dropped_Packets\" or rule.name: \"PacketFilter::Dropped_Packets\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterinstall_failure.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "235988ec-d037-4f5f-a211-74106512b36d",
+  "risk_score": 50,
+  "description": "Generated if a packet filter fails to install.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice PacketFilter::Install_Failure",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Install_Failure\" or rule.name: \"PacketFilter::Install_Failure\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfilterno_more_conn_shunts_available.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "de4016de-3374-41a0-a678-21d36c70af9a",
+  "risk_score": 50,
+  "description": "Indicative that PacketFilter::max_bpf_shunts connections are already being shunted with BPF filters and no more are allowed.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice PacketFilter::No_More_Conn_Shunts_Available",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::No_More_Conn_Shunts_Available\" or rule.name: \"PacketFilter::No_More_Conn_Shunts_Available\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_packetfiltertoo_long_to_compile_filter.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "71e93c42-7990-4233-a8a5-2631193df7db",
+  "risk_score": 50,
+  "description": "Generated when a notice takes too long to compile.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice PacketFilter::Too_Long_To_Compile_Filter",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"PacketFilter::Too_Long_To_Compile_Filter\" or rule.name: \"PacketFilter::Too_Long_To_Compile_Filter\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorprotocol_found.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "777586b6-4757-489e-a6e8-676b7df70b39",
+  "risk_score": 50,
+  "description": "Indicates a protocol was detected on a non-standard port.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice ProtocolDetector::Protocol_Found",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Protocol_Found\" or rule.name: \"ProtocolDetector::Protocol_Found\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/zeek_notice_protocoldetectorserver_found.json

@@ -0,0 +1,17 @@
+{
+  "rule_id": "7d7f7635-6900-4f63-b14b-477a909ea90a",
+  "risk_score": 50,
+  "description": "Indicates a server was detected on a non-standard port for the protocol.",
+  "immutable": true,
+  "interval": "5m",
+  "name": "Zeek Notice ProtocolDetector::Server_Found",
+  "severity": "low",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "event.module: zeek and event.dataset: zeek.notice and (zeek.notice.note: \"ProtocolDetector::Server_Found\" or rule.name: \"ProtocolDetector::Server_Found\")",
+  "language": "kuery",
+  "filters": [],
+  "enabled": false,
+  "version": 1
+}