From afea5636a2e8ca7f364388db103486373ec1eac7 Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Mon, 27 Jan 2020 22:11:41 -0700 Subject: [PATCH] [SIEM][Detection Engine] critical blocker, updates the pre-packaged rules, removes dead ones, adds license file (#56090) (#56095) ## Summary * Adds updated pre-packaged rules with more meta-data (from randomuserid) * Deletes older rules not shipping (from randomuserid) * Adds license file for rules (from randomuserid) ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11]~~(https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ ~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~ ~~- [ ] This was checked for [keyboard-only and screenreader accessibility]~~(https://developer.mozilla.org/enUS/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) --- .../403_response_to_a_post.json | 20 +- .../405_response_method_not_allowed.json | 20 +- .../500_response_on_admin_page.json | 20 -- .../rules/prepackaged_rules/NOTICE.txt | 20 ++ ..._security_adversary_behavior_detected.json | 19 ++ ...dpoint_security_cred_dumping_detected.json | 19 ++ ...point_security_cred_dumping_prevented.json | 19 ++ ...t_security_cred_manipulation_detected.json | 19 ++ ..._security_cred_manipulation_prevented.json | 18 ++ ...ic_endpoint_security_exploit_detected.json | 19 ++ ...c_endpoint_security_exploit_prevented.json | 19 ++ ...ic_endpoint_security_malware_detected.json | 19 ++ ...c_endpoint_security_malware_prevented.json | 19 ++ ...nt_security_permission_theft_detected.json | 19 ++ ...t_security_permission_theft_prevented.json | 19 ++ ...t_security_process_injection_detected.json | 19 ++ ..._security_process_injection_prevented.json | 19 ++ ...endpoint_security_ransomware_detected.json | 19 ++ ...ndpoint_security_ransomware_prevented.json | 19 ++ ...den_file_attribute_with_via_attribexe.json | 17 +- .../eql_adobe_hijack_persistence.json | 13 +- .../eql_audio_capture_via_powershell.json | 13 +- .../eql_audio_capture_via_soundrecorder.json | 13 +- .../eql_bypass_uac_event_viewer.json | 15 +- .../eql_bypass_uac_via_cmstp.json | 17 +- .../eql_bypass_uac_via_sdclt.json | 17 +- .../eql_clearing_windows_event_logs.json | 13 +- ...delete_volume_usn_journal_with_fsutil.json | 17 +- ...deleting_backup_catalogs_with_wbadmin.json | 17 +- .../eql_direct_outbound_smb_connection.json | 13 +- ...ble_windows_firewall_rules_with_netsh.json | 17 +- .../eql_dll_search_order_hijack.json | 13 +- ...coding_or_decoding_files_via_certutil.json | 13 +- .../eql_local_scheduled_task_commands.json | 16 +- .../eql_local_service_commands.json | 13 +- ...ql_modification_of_boot_configuration.json | 15 +- ...ql_msbuild_making_network_connections.json | 13 +- .../eql_mshta_making_network_connections.json | 21 +- .../eql_msxsl_making_network_connections.json | 17 +- .../eql_psexec_lateral_movement_command.json | 52 +++- ...ql_suspicious_ms_office_child_process.json | 13 +- ...l_suspicious_ms_outlook_child_process.json | 15 +- ...l_suspicious_pdf_reader_child_process.json | 15 +- .../eql_system_shells_via_services.json | 13 +- ...usual_network_connection_via_rundll32.json | 15 +- .../eql_unusual_parentchild_relationship.json | 15 +- ...ql_unusual_process_network_connection.json | 13 +- .../eql_user_account_creation.json | 13 +- ...eql_user_added_to_administrator_group.json | 13 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 15 +- ..._volume_shadow_copy_deletion_via_wmic.json | 17 +- ...l_windows_script_executing_powershell.json | 15 +- .../eql_wmic_command_lateral_movement.json | 18 +- .../rules/prepackaged_rules/index.ts | 278 +++++++----------- .../linux_hping_activity.json | 18 +- .../linux_iodine_activity.json | 20 +- .../linux_kernel_module_activity.json | 12 +- .../linux_ldso_process_activity.json | 16 +- .../linux_lzop_activity.json | 20 -- .../linux_mknod_activity.json | 20 +- .../linux_netcat_network_connection.json | 16 +- ...k_anomalous_process_using_https_ports.json | 20 -- .../linux_nmap_activity.json | 20 +- .../linux_nping_activity.json | 18 +- ...nux_process_started_in_temp_directory.json | 14 +- .../linux_ptrace_activity.json | 20 -- .../linux_rawshark_activity.json | 20 -- .../linux_shell_activity_by_web_server.json | 17 +- .../linux_socat_activity.json | 14 +- .../linux_ssh_forwarding.json | 19 +- .../linux_strace_activity.json | 20 +- .../linux_tcpdump_activity.json | 14 +- .../prepackaged_rules/linux_web_download.json | 20 -- .../linux_whoami_commmand.json | 16 +- .../network_dns_directly_to_the_internet.json | 15 +- ...fer_protocol_activity_to_the_internet.json | 17 +- ...hat_protocol_activity_to_the_internet.json | 17 +- .../network_nat_traversal_port_activity.json | 11 +- .../network_port_26_activity.json | 11 +- .../network_port_8000_activity.json | 20 -- ...rk_port_8000_activity_to_the_internet.json | 11 +- ..._to_point_tunneling_protocol_activity.json | 28 +- ...k_proxy_port_activity_to_the_internet.json | 13 +- ...te_desktop_protocol_from_the_internet.json | 49 ++- ...mote_desktop_protocol_to_the_internet.json | 19 +- ...mote_procedure_call_from_the_internet.json | 12 +- ...remote_procedure_call_to_the_internet.json | 14 +- ...file_sharing_activity_to_the_internet.json | 16 +- .../network_smtp_to_the_internet.json | 15 +- ..._server_port_activity_to_the_internet.json | 30 +- ...rk_ssh_secure_shell_from_the_internet.json | 54 ++-- ...work_ssh_secure_shell_to_the_internet.json | 13 +- .../network_telnet_port_activity.json | 44 ++- .../network_tor_activity_to_the_internet.json | 30 +- ...l_network_computing_from_the_internet.json | 37 ++- ...ual_network_computing_to_the_internet.json | 21 +- .../prepackaged_rules/null_user_agent.json | 24 +- .../prepackaged_rules/sqlmap_user_agent.json | 20 +- ...rvice_bits_connecting_to_the_internet.json | 49 ++- .../windows_burp_ce_activity.json | 20 -- ...s_certutil_connecting_to_the_internet.json | 34 ++- ...and_prompt_connecting_to_the_internet.json | 52 +++- ...nd_shell_started_by_internet_explorer.json | 34 ++- ...s_command_shell_started_by_powershell.json | 49 ++- ...dows_command_shell_started_by_svchost.json | 34 ++- .../windows_credential_dumping_commands.json | 20 -- ...dows_credential_dumping_via_imageload.json | 20 -- ..._credential_dumping_via_registry_save.json | 20 -- ...ows_data_compression_using_powershell.json | 20 -- ...fense_evasion_decoding_using_certutil.json | 20 -- ...asion_or_persistence_via_hidden_files.json | 20 -- ...ws_defense_evasion_via_filter_manager.json | 35 ++- ...e_evasion_via_windows_event_log_tools.json | 20 -- ...dows_execution_via_compiled_html_file.json | 52 +++- ...dows_execution_via_connection_manager.json | 35 ++- ...on_via_microsoft_html_application_hta.json | 20 -- ...dows_execution_via_net_com_assemblies.json | 38 ++- .../windows_execution_via_regsvr32.json | 49 ++- ...ution_via_trusted_developer_utilities.json | 53 +++- ...le_program_connecting_to_the_internet.json | 49 ++- ...dows_image_load_from_a_temp_directory.json | 47 --- .../windows_indirect_command_execution.json | 20 -- .../windows_iodine_activity.json | 20 -- ...agement_instrumentation_wmi_execution.json | 20 -- ...cation_hta_connecting_to_the_internet.json | 20 -- .../windows_mimikatz_activity.json | 20 -- ...isc_lolbin_connecting_to_the_internet.json | 49 ++- ...ommand_activity_by_the_system_account.json | 34 ++- .../windows_net_user_command_activity.json | 20 -- .../windows_netcat_activity.json | 20 -- .../windows_netcat_network_activity.json | 20 -- ...ous_windows_process_using_https_ports.json | 20 -- .../windows_nmap_activity.json | 20 -- .../windows_nmap_scan_activity.json | 20 -- ...dows_payload_obfuscation_via_certutil.json | 20 -- ...stence_or_priv_escalation_via_hooking.json | 20 -- ..._persistence_via_application_shimming.json | 50 +++- .../windows_persistence_via_bits_jobs.json | 20 -- ..._via_modification_of_existing_service.json | 20 -- ...s_persistence_via_netshell_helper_dll.json | 20 -- ...powershell_connecting_to_the_internet.json | 20 -- ...escalation_via_accessibility_features.json | 50 +++- ...rocess_discovery_via_tasklist_command.json | 38 ++- .../windows_process_execution_via_wmi.json | 37 ++- ...ed_by_acrobat_reader_possible_payload.json | 20 -- ...by_ms_office_program_possible_payload.json | 20 -- ...s_process_started_by_the_java_runtime.json | 20 -- .../windows_psexec_activity.json | 20 -- ...er_program_connecting_to_the_internet.json | 52 +++- .../windows_registry_query_local.json | 20 -- .../windows_registry_query_network.json | 20 -- .../windows_remote_management_execution.json | 20 -- .../windows_scheduled_task_activity.json | 20 -- ...nterpreter_connecting_to_the_internet.json | 20 -- ...windows_signed_binary_proxy_execution.json | 52 +++- ...igned_binary_proxy_execution_download.json | 52 +++- ...uspicious_process_started_by_a_script.json | 52 +++- .../windows_whoami_command_activity.json | 37 ++- .../windows_windump_activity.json | 20 -- .../windows_wireshark_activity.json | 20 -- 160 files changed, 2055 insertions(+), 1880 deletions(-) delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/NOTICE.txt create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index da0613e1f6fa7..c685d96cdf57b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -4,22 +4,22 @@ "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "apm-*-transaction*" ], "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: POST Request Declined", "query": "http.response.status_code:403 and http.request.method:post", - "references": ["https://en.wikipedia.org/wiki/HTTP_403"], - "risk_score": 50, + "references": [ + "https://en.wikipedia.org/wiki/HTTP_403" + ], + "risk_score": 47, "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", - "severity": "low", - "tags": ["Elastic", "apm"], + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index b0edfb25e9392..64264452d468b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -4,22 +4,22 @@ "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "apm-*-transaction*" ], "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: Unauthorized Method", "query": "http.response.status_code:405", - "references": ["https://en.wikipedia.org/wiki/HTTP_405"], - "risk_score": 50, + "references": [ + "https://en.wikipedia.org/wiki/HTTP_405" + ], + "risk_score": 47, "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", - "severity": "low", - "tags": ["Elastic", "apm"], + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json deleted file mode 100644 index 3b4bcbe670921..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/500_response_on_admin_page.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "500 Response on Admin page", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "500 Response on Admin page", - "query": "url.path:\"/admin/\" and http.response.status_code:500", - "risk_score": 50, - "rule_id": "054f669c-b065-492e-acd9-15e44fc42380", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/NOTICE.txt b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/NOTICE.txt new file mode 100644 index 0000000000000..cd5f1cc6f886c --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/NOTICE.txt @@ -0,0 +1,20 @@ +This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack +which is available under a "MIT" license. The files based on this license are: + +- windows_defense_evasion_via_filter_manager.json +- windows_process_discovery_via_tasklist_command.json +- windows_priv_escalation_via_accessibility_features.json +- windows_persistence_via_application_shimming.json +- windows_execution_via_trusted_developer_utilities.json +- windows_execution_via_net_com_assemblies.json +- windows_execution_via_connection_manager.json + +MIT License + +Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json new file mode 100644 index 0000000000000..56d142fdf3ef8 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Adversary behavior detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Adversary Behavior - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event", + "risk_score": 47, + "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json new file mode 100644 index 0000000000000..6805696ce6bc9 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Credential dumping detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Cred Dumping - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection", + "risk_score": 73, + "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json new file mode 100644 index 0000000000000..68c0f5cad8252 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Credential dumping prevented.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Cred Dumping - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention", + "risk_score": 47, + "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json new file mode 100644 index 0000000000000..0d0d9c71a2ec1 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Credential manipulation detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Cred Manipulation - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection", + "risk_score": 73, + "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json new file mode 100644 index 0000000000000..df49c80e3097b --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json @@ -0,0 +1,18 @@ +{ + "description": "Elastic Endpoint Security Alert - Credential manipulation prevented.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Cred Manipulation - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention", + "risk_score": 47, + "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "severity": "medium", + "tags": [ + "Elastic" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json new file mode 100644 index 0000000000000..9c3896a70b3a0 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Exploit detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Exploit - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection", + "risk_score": 73, + "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json new file mode 100644 index 0000000000000..4632ae6a1487b --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Exploit prevented.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Exploit - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention", + "risk_score": 47, + "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json new file mode 100644 index 0000000000000..68831392942d4 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Malware detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Malware - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection", + "risk_score": 99, + "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", + "severity": "critical", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json new file mode 100644 index 0000000000000..56b41df2a3349 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Malware prevented.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Malware - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention", + "risk_score": 73, + "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json new file mode 100644 index 0000000000000..268dc9cf89121 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Permission theft detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Permission Theft - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection", + "risk_score": 73, + "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json new file mode 100644 index 0000000000000..6deda3d0453b2 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Permission theft prevented.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Permission Theft - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention", + "risk_score": 47, + "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json new file mode 100644 index 0000000000000..25a03e611fe3e --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Process injection detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Process Injection - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection", + "risk_score": 73, + "rule_id": "80c52164-c82a-402c-9964-852533d58be1", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json new file mode 100644 index 0000000000000..6c549d70a9d41 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Process injection prevented.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Process Injection - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention", + "risk_score": 47, + "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "severity": "medium", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json new file mode 100644 index 0000000000000..4a118cf8ab861 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Ransomware detected.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Ransomware - Detected - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection", + "risk_score": 99, + "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", + "severity": "critical", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json new file mode 100644 index 0000000000000..8b48e8f4c1758 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json @@ -0,0 +1,19 @@ +{ + "description": "Elastic Endpoint Security Alert - Ransomware prevented.", + "index": [ + "endgame-*" + ], + "language": "kuery", + "max_signals": 33, + "name": "Ransomware - Prevented - Elastic Endpoint", + "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention", + "risk_score": 73, + "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", + "severity": "high", + "tags": [ + "Elastic", + "Endpoint" + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 6843f622bee8f..374691f670b74 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,20 +1,19 @@ { "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Adding the Hidden File Attribute with via attrib.exe", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", - "risk_score": 25, + "max_signals": 33, + "name": "Adding Hidden File Attribute via Attrib", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", + "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index fcc105f2447e8..47f171dd7be0e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -1,20 +1,19 @@ { "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Adobe Hijack Persistence", "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", - "risk_score": 25, + "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json index feaa8451754a5..7ec960eea6302 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json @@ -1,20 +1,19 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Audio Capture via PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", - "risk_score": 25, + "risk_score": 21, "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json index 0365616e86faf..87bdfc4980124 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json @@ -1,20 +1,19 @@ { "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Audio Capture via SoundRecorder", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", - "risk_score": 25, + "risk_score": 21, "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json index e3d57d2b05503..2fa63fa51f7c1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json @@ -1,20 +1,19 @@ { - "description": "Identifies User Account Control (UAC) bypass via eventvwr. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Bypass UAC via Event Viewer", "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json index 0d9346a7e1f88..fdc716dcb3ebe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json @@ -1,20 +1,19 @@ { - "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "description": "Identifies User Account Control (UAC) bypass via cmstp.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Bypass UAC via CMSTP", + "max_signals": 33, + "name": "Bypass UAC via Cmstp", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json index 3e99f1be6bf2e..484a01e0211ab 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json @@ -1,20 +1,19 @@ { - "description": "Identifies User Account Control (UAC) bypass via cmstp. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "description": "Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Bypass UAC via SDCLT", + "max_signals": 33, + "name": "Bypass UAC via Sdclt", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index 9d8d3bab1ace7..e9729ff102619 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,20 +1,19 @@ { "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Clearing Windows Event Logs", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index e69de058960d4..479bb4a2a6d7c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -1,20 +1,19 @@ { - "description": "Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Delete Volume USN Journal with fsutil", + "max_signals": 33, + "name": "Delete Volume USN Journal with Fsutil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index cbf51ffb7c20b..204925e4b677b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -1,20 +1,19 @@ { - "description": "Identifies use of the wbadmin command to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Deleting Backup Catalogs with wbadmin", + "max_signals": 33, + "name": "Deleting Backup Catalogs with Wbadmin", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 5e8321c6777aa..b6398a9985e7e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -1,20 +1,19 @@ { "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Direct Outbound SMB Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", - "risk_score": 50, + "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index c9510913a151f..32b43cc24e91b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -1,20 +1,19 @@ { - "description": "Identifies use of the netsh command to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Disable Windows Firewall Rules with Netsh", + "max_signals": 33, + "name": "Disable Windows Firewall Rules via Netsh", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", - "risk_score": 50, + "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json index 214ddfaf0feec..5740453b6ae6d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json @@ -1,20 +1,19 @@ { "description": "Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "DLL Search Order Hijack", "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", - "risk_score": 50, + "risk_score": 47, "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index e531a2d05a97e..37e1c26885a15 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -1,20 +1,19 @@ { "description": "Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Encoding or Decoding Files via CertUtil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", - "risk_score": 50, + "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index 426d32b9b1e48..dc4991f86a0f5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -1,20 +1,22 @@ { "description": "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Local Scheduled Task Commands", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 71f94ecf91788..eb6f2377376f2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -1,20 +1,19 @@ { "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Local Service Commands", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", - "risk_score": 25, + "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json index 162dfe717df55..26bd65b897c63 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json @@ -1,20 +1,19 @@ { - "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Modification of Boot Configuration", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", - "risk_score": 75, + "risk_score": 73, "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", "severity": "high", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 296f6f0862374..d40ffed523c6a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -1,20 +1,19 @@ { "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "MsBuild Making Network Connections", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", - "risk_score": 50, + "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 18c9e286c99ef..7905d80c6e8c2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -1,21 +1,22 @@ { - "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", + "description": "Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Mshta Making Network Connections", + "max_signals": 33, + "name": "Network Connection via Mshta", "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", - "references": ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"], - "risk_score": 50, + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + ], + "risk_score": 47, "rule_id": "a4ec1382-4557-452b-89ba-e413b22ed4b8", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json index b21b17cd89abf..16ef15589f48f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json @@ -1,20 +1,19 @@ { - "description": "Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often leveraged by adversaries to execute malicious scripts and evade detection.", + "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "MsXsl Making Network Connections", + "max_signals": 33, + "name": "Network Connection via MsXsl", "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 47, "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index 3e04dd4be292b..fd210005118b8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -1,20 +1,54 @@ { - "description": "Identifies use of the SysInternals tool PsExec to execute commands on a remote host. This is an indication of lateral movement and may detect adversaries.", + "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", + "false_positives": [ + "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "PsExec Lateral Movement Command", + "max_signals": 33, + "name": "PsExec Network Connection", "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", - "risk_score": 50, + "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1035", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1035/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1035", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1035/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index ac66af50ecd1d..a5d71e23a1215 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -1,20 +1,19 @@ { "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Suspicious MS Office Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "risk_score": 25, + "risk_score": 21, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index 928144f0ecf0c..86716d6608049 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -1,20 +1,19 @@ { "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Suspicious MS Outlook Child Process", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "risk_score": 25, + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", + "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json index 160da5b899042..b0fbccf1b67a7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json @@ -1,20 +1,19 @@ { "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "EQL - Suspicious PDF Reader Child Process", + "max_signals": 33, + "name": "Suspicious PDF Reader Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "risk_score": 75, + "risk_score": 73, "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", "severity": "high", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 268e8110c508d..984b522596c1e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -1,20 +1,19 @@ { "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "System Shells via Services", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", - "risk_score": 50, + "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 7332cc7710347..03b9bebb655c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -1,20 +1,19 @@ { - "description": "Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", + "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Unusual Network Connection via RunDLL32", "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 25, + "risk_score": 21, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index d13d23a9354f7..72eb17863e0d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -1,20 +1,19 @@ { "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Unusual Parent-Child Relationship ", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", - "risk_score": 50, + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", + "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 138ecbb820513..8ca16198ff175 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -1,20 +1,19 @@ { "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Unusual Process Network Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", - "risk_score": 25, + "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 9f3ecdb7a7f57..dee3d18bd5eda 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -1,20 +1,19 @@ { "description": "Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "User Account Creation", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", - "risk_score": 50, + "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json index 1a0e0f8dcb2ad..4ed6a06b18d3b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json @@ -1,20 +1,19 @@ { "description": "Identifies attempts to add a user to an administrative group with the \"net.exe\" command. This is sometimes done by attackers to increase access of a compromised account or create new account.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "User Added to Administrator Group", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", - "risk_score": 50, + "risk_score": 47, "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", "severity": "medium", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 794fec38b380e..cdeeb1563dfde 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -1,20 +1,19 @@ { "description": "Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Volume Shadow Copy Deletion via VssAdmin", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", - "risk_score": 75, + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", + "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "high", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index a3e94b08275be..9465cf84d73f4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -1,20 +1,19 @@ { - "description": "Identifies use of wmic for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Volume Shadow Copy Deletion via WMIC", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", - "risk_score": 75, + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", + "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 868d84ef9ebce..f3df1276de53d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -1,20 +1,19 @@ { - "description": "Identifies a PowerShell process launched by either CScript or WScript. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", - "risk_score": 50, + "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json index 5c2804507cbd2..a50d9e64f2e2b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json @@ -1,20 +1,22 @@ { "description": "Identifies use of wmic.exe to run commands on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "false_positives": [ + "The WMIC utility provides a command-line interface for WMI, which can be used for an array of administrative capabilities. It's important to baseline your environment to determine any abnormal use of this tool." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 33, "name": "WMIC Command Lateral Movement", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", - "risk_score": 25, + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", + "risk_score": 21, "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index a70ff7d13f0ee..cd6d899133bff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -9,147 +9,117 @@ import rule1 from './403_response_to_a_post.json'; import rule2 from './405_response_method_not_allowed.json'; -import rule3 from './500_response_on_admin_page.json'; -import rule4 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule5 from './eql_adobe_hijack_persistence.json'; -import rule6 from './eql_audio_capture_via_powershell.json'; -import rule7 from './eql_audio_capture_via_soundrecorder.json'; -import rule8 from './eql_bypass_uac_event_viewer.json'; -import rule9 from './eql_bypass_uac_via_cmstp.json'; -import rule10 from './eql_bypass_uac_via_sdclt.json'; -import rule11 from './eql_clearing_windows_event_logs.json'; -import rule12 from './eql_delete_volume_usn_journal_with_fsutil.json'; -import rule13 from './eql_deleting_backup_catalogs_with_wbadmin.json'; -import rule14 from './eql_direct_outbound_smb_connection.json'; -import rule15 from './eql_disable_windows_firewall_rules_with_netsh.json'; -import rule16 from './eql_dll_search_order_hijack.json'; -import rule17 from './eql_encoding_or_decoding_files_via_certutil.json'; -import rule18 from './eql_local_scheduled_task_commands.json'; -import rule19 from './eql_local_service_commands.json'; -import rule20 from './eql_modification_of_boot_configuration.json'; -import rule21 from './eql_msbuild_making_network_connections.json'; -import rule22 from './eql_mshta_making_network_connections.json'; -import rule23 from './eql_msxsl_making_network_connections.json'; -import rule24 from './eql_psexec_lateral_movement_command.json'; -import rule25 from './eql_suspicious_ms_office_child_process.json'; -import rule26 from './eql_suspicious_ms_outlook_child_process.json'; -import rule27 from './eql_suspicious_pdf_reader_child_process.json'; -import rule28 from './eql_system_shells_via_services.json'; -import rule29 from './eql_unusual_network_connection_via_rundll32.json'; -import rule30 from './eql_unusual_parentchild_relationship.json'; -import rule31 from './eql_unusual_process_network_connection.json'; -import rule32 from './eql_user_account_creation.json'; -import rule33 from './eql_user_added_to_administrator_group.json'; -import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule35 from './eql_volume_shadow_copy_deletion_via_wmic.json'; -import rule36 from './eql_windows_script_executing_powershell.json'; -import rule37 from './eql_wmic_command_lateral_movement.json'; -import rule38 from './linux_hping_activity.json'; -import rule39 from './linux_iodine_activity.json'; -import rule40 from './linux_kernel_module_activity.json'; -import rule41 from './linux_ldso_process_activity.json'; -import rule42 from './linux_lzop_activity.json'; -import rule43 from './linux_mknod_activity.json'; -import rule44 from './linux_netcat_network_connection.json'; -import rule45 from './linux_network_anomalous_process_using_https_ports.json'; -import rule46 from './linux_nmap_activity.json'; -import rule47 from './linux_nping_activity.json'; -import rule48 from './linux_process_started_in_temp_directory.json'; -import rule49 from './linux_ptrace_activity.json'; -import rule50 from './linux_rawshark_activity.json'; -import rule51 from './linux_shell_activity_by_web_server.json'; -import rule52 from './linux_socat_activity.json'; -import rule53 from './linux_ssh_forwarding.json'; -import rule54 from './linux_strace_activity.json'; -import rule55 from './linux_tcpdump_activity.json'; -import rule56 from './linux_web_download.json'; -import rule57 from './linux_whoami_commmand.json'; -import rule58 from './network_dns_directly_to_the_internet.json'; -import rule59 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule60 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule61 from './network_nat_traversal_port_activity.json'; -import rule62 from './network_port_26_activity.json'; -import rule63 from './network_port_8000_activity.json'; -import rule64 from './network_port_8000_activity_to_the_internet.json'; -import rule65 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule66 from './network_proxy_port_activity_to_the_internet.json'; -import rule67 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule68 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule69 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule70 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule71 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule72 from './network_smtp_to_the_internet.json'; -import rule73 from './network_sql_server_port_activity_to_the_internet.json'; -import rule74 from './network_ssh_secure_shell_from_the_internet.json'; -import rule75 from './network_ssh_secure_shell_to_the_internet.json'; -import rule76 from './network_telnet_port_activity.json'; -import rule77 from './network_tor_activity_to_the_internet.json'; -import rule78 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule79 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule80 from './null_user_agent.json'; -import rule81 from './sqlmap_user_agent.json'; -import rule82 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule83 from './windows_burp_ce_activity.json'; -import rule84 from './windows_certutil_connecting_to_the_internet.json'; -import rule85 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule86 from './windows_command_shell_started_by_internet_explorer.json'; -import rule87 from './windows_command_shell_started_by_powershell.json'; -import rule88 from './windows_command_shell_started_by_svchost.json'; -import rule89 from './windows_credential_dumping_commands.json'; -import rule90 from './windows_credential_dumping_via_imageload.json'; -import rule91 from './windows_credential_dumping_via_registry_save.json'; -import rule92 from './windows_data_compression_using_powershell.json'; -import rule93 from './windows_defense_evasion_decoding_using_certutil.json'; -import rule94 from './windows_defense_evasion_or_persistence_via_hidden_files.json'; -import rule95 from './windows_defense_evasion_via_filter_manager.json'; -import rule96 from './windows_defense_evasion_via_windows_event_log_tools.json'; +import rule3 from './elastic_endpoint_security_adversary_behavior_detected.json'; +import rule4 from './elastic_endpoint_security_cred_dumping_detected.json'; +import rule5 from './elastic_endpoint_security_cred_dumping_prevented.json'; +import rule6 from './elastic_endpoint_security_cred_manipulation_detected.json'; +import rule7 from './elastic_endpoint_security_cred_manipulation_prevented.json'; +import rule8 from './elastic_endpoint_security_exploit_detected.json'; +import rule9 from './elastic_endpoint_security_exploit_prevented.json'; +import rule10 from './elastic_endpoint_security_malware_detected.json'; +import rule11 from './elastic_endpoint_security_malware_prevented.json'; +import rule12 from './elastic_endpoint_security_permission_theft_detected.json'; +import rule13 from './elastic_endpoint_security_permission_theft_prevented.json'; +import rule14 from './elastic_endpoint_security_process_injection_detected.json'; +import rule15 from './elastic_endpoint_security_process_injection_prevented.json'; +import rule16 from './elastic_endpoint_security_ransomware_detected.json'; +import rule17 from './elastic_endpoint_security_ransomware_prevented.json'; +import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule19 from './eql_adobe_hijack_persistence.json'; +import rule20 from './eql_audio_capture_via_powershell.json'; +import rule21 from './eql_audio_capture_via_soundrecorder.json'; +import rule22 from './eql_bypass_uac_event_viewer.json'; +import rule23 from './eql_bypass_uac_via_cmstp.json'; +import rule24 from './eql_bypass_uac_via_sdclt.json'; +import rule25 from './eql_clearing_windows_event_logs.json'; +import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json'; +import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json'; +import rule28 from './eql_direct_outbound_smb_connection.json'; +import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json'; +import rule30 from './eql_dll_search_order_hijack.json'; +import rule31 from './eql_encoding_or_decoding_files_via_certutil.json'; +import rule32 from './eql_local_scheduled_task_commands.json'; +import rule33 from './eql_local_service_commands.json'; +import rule34 from './eql_modification_of_boot_configuration.json'; +import rule35 from './eql_msbuild_making_network_connections.json'; +import rule36 from './eql_mshta_making_network_connections.json'; +import rule37 from './eql_msxsl_making_network_connections.json'; +import rule38 from './eql_psexec_lateral_movement_command.json'; +import rule39 from './eql_suspicious_ms_office_child_process.json'; +import rule40 from './eql_suspicious_ms_outlook_child_process.json'; +import rule41 from './eql_suspicious_pdf_reader_child_process.json'; +import rule42 from './eql_system_shells_via_services.json'; +import rule43 from './eql_unusual_network_connection_via_rundll32.json'; +import rule44 from './eql_unusual_parentchild_relationship.json'; +import rule45 from './eql_unusual_process_network_connection.json'; +import rule46 from './eql_user_account_creation.json'; +import rule47 from './eql_user_added_to_administrator_group.json'; +import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json'; +import rule50 from './eql_windows_script_executing_powershell.json'; +import rule51 from './eql_wmic_command_lateral_movement.json'; +import rule52 from './linux_hping_activity.json'; +import rule53 from './linux_iodine_activity.json'; +import rule54 from './linux_kernel_module_activity.json'; +import rule55 from './linux_ldso_process_activity.json'; +import rule56 from './linux_mknod_activity.json'; +import rule57 from './linux_netcat_network_connection.json'; +import rule58 from './linux_nmap_activity.json'; +import rule59 from './linux_nping_activity.json'; +import rule60 from './linux_process_started_in_temp_directory.json'; +import rule61 from './linux_shell_activity_by_web_server.json'; +import rule62 from './linux_socat_activity.json'; +import rule63 from './linux_ssh_forwarding.json'; +import rule64 from './linux_strace_activity.json'; +import rule65 from './linux_tcpdump_activity.json'; +import rule66 from './linux_whoami_commmand.json'; +import rule67 from './network_dns_directly_to_the_internet.json'; +import rule68 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule69 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule70 from './network_nat_traversal_port_activity.json'; +import rule71 from './network_port_26_activity.json'; +import rule72 from './network_port_8000_activity_to_the_internet.json'; +import rule73 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule74 from './network_proxy_port_activity_to_the_internet.json'; +import rule75 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule76 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule77 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule78 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule79 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule80 from './network_smtp_to_the_internet.json'; +import rule81 from './network_sql_server_port_activity_to_the_internet.json'; +import rule82 from './network_ssh_secure_shell_from_the_internet.json'; +import rule83 from './network_ssh_secure_shell_to_the_internet.json'; +import rule84 from './network_telnet_port_activity.json'; +import rule85 from './network_tor_activity_to_the_internet.json'; +import rule86 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule87 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule88 from './null_user_agent.json'; +import rule89 from './sqlmap_user_agent.json'; +import rule90 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule91 from './windows_certutil_connecting_to_the_internet.json'; +import rule92 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule93 from './windows_command_shell_started_by_internet_explorer.json'; +import rule94 from './windows_command_shell_started_by_powershell.json'; +import rule95 from './windows_command_shell_started_by_svchost.json'; +import rule96 from './windows_defense_evasion_via_filter_manager.json'; import rule97 from './windows_execution_via_compiled_html_file.json'; import rule98 from './windows_execution_via_connection_manager.json'; -import rule99 from './windows_execution_via_microsoft_html_application_hta.json'; -import rule100 from './windows_execution_via_net_com_assemblies.json'; -import rule101 from './windows_execution_via_regsvr32.json'; -import rule102 from './windows_execution_via_trusted_developer_utilities.json'; -import rule103 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule104 from './windows_image_load_from_a_temp_directory.json'; -import rule105 from './windows_indirect_command_execution.json'; -import rule106 from './windows_iodine_activity.json'; -import rule107 from './windows_management_instrumentation_wmi_execution.json'; -import rule108 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json'; -import rule109 from './windows_mimikatz_activity.json'; -import rule110 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule111 from './windows_net_command_activity_by_the_system_account.json'; -import rule112 from './windows_net_user_command_activity.json'; -import rule113 from './windows_netcat_activity.json'; -import rule114 from './windows_netcat_network_activity.json'; -import rule115 from './windows_network_anomalous_windows_process_using_https_ports.json'; -import rule116 from './windows_nmap_activity.json'; -import rule117 from './windows_nmap_scan_activity.json'; -import rule118 from './windows_payload_obfuscation_via_certutil.json'; -import rule119 from './windows_persistence_or_priv_escalation_via_hooking.json'; -import rule120 from './windows_persistence_via_application_shimming.json'; -import rule121 from './windows_persistence_via_bits_jobs.json'; -import rule122 from './windows_persistence_via_modification_of_existing_service.json'; -import rule123 from './windows_persistence_via_netshell_helper_dll.json'; -import rule124 from './windows_powershell_connecting_to_the_internet.json'; -import rule125 from './windows_priv_escalation_via_accessibility_features.json'; -import rule126 from './windows_process_discovery_via_tasklist_command.json'; -import rule127 from './windows_process_execution_via_wmi.json'; -import rule128 from './windows_process_started_by_acrobat_reader_possible_payload.json'; -import rule129 from './windows_process_started_by_ms_office_program_possible_payload.json'; -import rule130 from './windows_process_started_by_the_java_runtime.json'; -import rule131 from './windows_psexec_activity.json'; -import rule132 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule133 from './windows_registry_query_local.json'; -import rule134 from './windows_registry_query_network.json'; -import rule135 from './windows_remote_management_execution.json'; -import rule136 from './windows_scheduled_task_activity.json'; -import rule137 from './windows_script_interpreter_connecting_to_the_internet.json'; -import rule138 from './windows_signed_binary_proxy_execution.json'; -import rule139 from './windows_signed_binary_proxy_execution_download.json'; -import rule140 from './windows_suspicious_process_started_by_a_script.json'; -import rule141 from './windows_whoami_command_activity.json'; -import rule142 from './windows_windump_activity.json'; -import rule143 from './windows_wireshark_activity.json'; +import rule99 from './windows_execution_via_net_com_assemblies.json'; +import rule100 from './windows_execution_via_regsvr32.json'; +import rule101 from './windows_execution_via_trusted_developer_utilities.json'; +import rule102 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule103 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule104 from './windows_net_command_activity_by_the_system_account.json'; +import rule105 from './windows_persistence_via_application_shimming.json'; +import rule106 from './windows_priv_escalation_via_accessibility_features.json'; +import rule107 from './windows_process_discovery_via_tasklist_command.json'; +import rule108 from './windows_process_execution_via_wmi.json'; +import rule109 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule110 from './windows_signed_binary_proxy_execution.json'; +import rule111 from './windows_signed_binary_proxy_execution_download.json'; +import rule112 from './windows_suspicious_process_started_by_a_script.json'; +import rule113 from './windows_whoami_command_activity.json'; export const rawRules = [ rule1, rule2, @@ -264,34 +234,4 @@ export const rawRules = [ rule111, rule112, rule113, - rule114, - rule115, - rule116, - rule117, - rule118, - rule119, - rule120, - rule121, - rule122, - rule123, - rule124, - rule125, - rule126, - rule127, - rule128, - rule129, - rule130, - rule131, - rule132, - rule133, - rule134, - rule135, - rule136, - rule137, - rule138, - rule139, - rule140, - rule141, - rule142, - rule143, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index d0a07ce2d0365..517e16fb3d284 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -4,22 +4,22 @@ "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Hping Process Activity", "query": "process.name: hping and event.action:executed", - "references": ["https://en.wikipedia.org/wiki/Hping"], - "risk_score": 75, + "references": [ + "https://en.wikipedia.org/wiki/Hping" + ], + "risk_score": 73, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "high", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index 1a116735e98f3..49f18ef9871a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,25 +1,25 @@ { - "description": "Iodine is a tool for tunneling internet protocol version 4 (IPV4) trafic over the DNS protocol in order to circumvent firewalls, network security groups or network access lists while evading detection.", + "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol in order to circumvent firewalls, network security groups or network access lists while evading detection.", "false_positives": [ "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Potential DNS Tunneling via Iodine", "query": "process.name: (iodine or iodined) and event.action:executed", - "references": ["https://code.kryo.se/iodine/"], - "risk_score": 75, + "references": [ + "https://code.kryo.se/iodine/" + ], + "risk_score": 73, "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "high", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 1529862571381..8c94694ca4d04 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -3,17 +3,23 @@ "false_positives": [ "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." ], - "index": ["auditbeat-*"], + "index": [ + "auditbeat-*" + ], + "language": "kuery", "max_signals": 33, "name": "Persistence via Kernel Module Modification", "query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed", "references": [ "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM" ], - "risk_score": 25, + "risk_score": 21, "rule_id": "81cc58f5-8062-49a2-ba84-5cc4b4d31c40", "severity": "low", - "tags": ["Elastic", "auditbeat"], + "tags": [ + "Elastic", + "Linux" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json index 187fc6379ef25..82a2a16080160 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json @@ -1,24 +1,22 @@ { - "description": "ld.so runs in a privlieged context and can be used to escape restrictive environments by spawning a shell in order to elevate privlieges or move laterally.", + "description": "The dynamic linker, ld.so, runs in a privileged context and can be used to escape restrictive environments by spawning a shell in order to elevate privileges or move laterally.", "false_positives": [ "ld.so is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or administrators. Use of ld.so by non-engineers or ordinary users is uncommon." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Ld.so Process Activity", "query": "process.name:ld.so and event.action:executed", - "risk_score": 25, + "risk_score": 21, "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", "severity": "low", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json deleted file mode 100644 index 8061ff72e130b..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Linux lzop activity - possible @JulianRunnels", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Linux lzop activity", - "query": "process.name:lzop and event.action:executed", - "risk_score": 50, - "rule_id": "d7359214-54a4-4572-9e51-ebf79cda9b04", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 1fe4802c6cf79..8f4e1f40fad12 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,25 +1,25 @@ { - "description": "The Linux mknod program is sometimes used in the command paylod of remote command injection (RCI) and other exploits to export a command shell when the traditional version of netcat is not available to the payload.", + "description": "The Linux mknod program is sometimes used in the command payload of remote command injection (RCI) and other exploits to export a command shell when the traditional version of netcat is not available to the payload.", "false_positives": [ "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Mknod Process Activity", "query": "process.name: mknod and event.action:executed", - "references": ["https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem"], - "risk_score": 25, + "references": [ + "https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem" + ], + "risk_score": 21, "rule_id": "61c31c14-507f-4627-8c31-072556b89a9c", "severity": "low", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index 6d57d0cbab375..b06a342d24977 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,15 +1,10 @@ { - "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltation. ", + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. ", "false_positives": [ "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools and frameworks." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, @@ -20,10 +15,13 @@ "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat" ], - "risk_score": 50, + "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "medium", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json deleted file mode 100644 index f10c940f8bb93..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_network_anomalous_process_using_https_ports.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Linux Network - Anomalous Process Using HTTP/S Ports", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Linux Network - Anomalous Process Using HTTP/S Ports", - "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget", - "risk_score": 50, - "rule_id": "be40c674-1799-4a00-934d-0b2d54495913", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index b2284eea3f309..406cd8e026e7a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,25 +1,25 @@ { - "description": "Nmap ran on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks and identify listneing services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", + "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", "false_positives": [ "Security testing tools and frameworks may run nmap in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Nmap Process Activity", "query": "process.name: nmap", - "references": ["https://en.wikipedia.org/wiki/Nmap"], - "risk_score": 25, + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 21, "rule_id": "c87fca17-b3a9-4e83-b545-f30746c53920", "severity": "low", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index 4d37f32fb3ca0..de53e05e70fa3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -4,22 +4,22 @@ "Some normal use of this command may originate from security engineers and network or server administrators but this is usually not routine or unannounced. Use of nping by non-engineers or ordinary users is uncommon." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Nping Process Activity", "query": "process.name: nping and event.action:executed", - "references": ["https://en.wikipedia.org/wiki/Nmap"], - "risk_score": 50, + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index d38cead306cd4..4ed021a4c864d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -4,21 +4,19 @@ "Build systems like Jenkins may start processes in the /tmp directory. These can be exempted by name or by username." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Unusual Process Execution - Temp", "query": "process.working_directory: /tmp and event.action:executed", - "risk_score": 50, + "risk_score": 47, "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", "severity": "medium", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json deleted file mode 100644 index 6f99312c04a00..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ptrace_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Linux: Ptrace Activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Linux: Ptrace Activity", - "query": "process.name: ptrace and event.action:executed", - "risk_score": 50, - "rule_id": "1bff9259-e160-4920-bf72-4c96b6dbb7af", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json deleted file mode 100644 index 148468e959899..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_rawshark_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Linux: Rawshark Activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Linux: Rawshark Activity", - "query": "process.name: rawshark and event.action:executed", - "risk_score": 50, - "rule_id": "30eb2b9d-b53b-4ba5-bfab-7119a8b84029", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index 1711f45e770ed..c7d856cbe61f3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -3,16 +3,23 @@ "false_positives": [ "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." ], - "index": ["auditbeat-*"], + "index": [ + "auditbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "Potential Shell via Web Server", "query": "process.name: bash and (user.name: apache or www) and event.action:executed", - "references": ["https://pentestlab.blog/tag/web-shell/"], - "risk_score": 50, + "references": [ + "https://pentestlab.blog/tag/web-shell/" + ], + "risk_score": 47, "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", - "severity": "low", - "tags": ["Elastic", "linux"], + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index 364a2bee65c23..481a99518d4ed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -4,12 +4,7 @@ "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, @@ -18,10 +13,13 @@ "references": [ "https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat" ], - "risk_score": 50, + "risk_score": 47, "rule_id": "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126", "severity": "medium", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json index 3447689f08d62..3b61814ab66fd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json @@ -4,22 +4,23 @@ "Some normal use of this command may originate from usage by engineers as an alternative or ad-hoc remote access solution. Use of this command by non-administrative users is uncommon." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Potential Lateral Movement via SSH Port Forwarding", "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", - "references": ["https://www.ssh.com/ssh/tunneling", "https://www.ssh.com/ssh/tunneling/example"], - "risk_score": 50, + "references": [ + "https://www.ssh.com/ssh/tunneling", + "https://www.ssh.com/ssh/tunneling/example" + ], + "risk_score": 47, "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", "severity": "medium", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index b0c2b4ecd07c2..6f8bc112fd011 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,25 +1,25 @@ { - "description": "Strace runs in a privlieged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privlieges or move laterally.", + "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privlieges or move laterally.", "false_positives": [ "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Strace Process Activity", "query": "process.name: strace and event.action:executed", - "references": ["https://en.wikipedia.org/wiki/Strace"], - "risk_score": 25, + "references": [ + "https://en.wikipedia.org/wiki/Strace" + ], + "risk_score": 21, "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", "severity": "low", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 594aee0eca708..b6dc7f1689770 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -4,21 +4,19 @@ "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "auditbeat-*" ], "language": "kuery", "max_signals": 33, "name": "Network Sniffing via Tcpdump", "query": "process.name: tcpdump and event.action:executed", - "risk_score": 25, + "risk_score": 21, "rule_id": "7a137d76-ce3d-48e2-947d-2747796a78c0", "severity": "low", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json deleted file mode 100644 index 311e2b5779602..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_web_download.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Linux: Web Download", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Linux: Web Download", - "query": "process.name: (curl or wget) and event.action:executed", - "risk_score": 50, - "rule_id": "e8ec93a6-49d2-4467-8c12-81c435fcc519", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index a370a44d4eb46..91c6d2bcc9f95 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,14 +1,22 @@ { - "description": "The 'whoami' command was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privlieged access.", - "index": ["auditbeat-*"], + "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", + "false_positives": [ + "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." + ], + "index": [ + "auditbeat-*" + ], "language": "kuery", "max_signals": 33, "name": "User Discovery via Whoami", "query": "process.name: whoami and event.action:executed", - "risk_score": 25, + "risk_score": 21, "rule_id": "120559c6-5e24-49f4-9e30-8ffe697df6b9", "severity": "low", - "tags": ["Elastic", "linux"], + "tags": [ + "Elastic", + "Linux" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 5c1d64e294159..3d1b07a267eca 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,26 +1,29 @@ { - "description": "This signal detects DNS network traffic logs that indicate an internal network\nclient reaching out to infrastructure on the Internet directly to answer name\nqueries. This activity could be a default or misconfiguration. This impacts\nyour organization's ability to provide enterprise monitoring and logging of DNS\nand opens your network to a variety of abuses or malicious communications.\n", + "description": "This signal detects internal network client sending DNS traffic directly to the Internet.\nThis is atypical behavior for a managed network and can be indicative of malware,\nexfiltration, command and control or simply misconfiguration. This also impacts your\norganization's ability to provide enterprise monitoring and logging of DNS and opens\nyour network to a variety of abuses or malicious communications.\n", "false_positives": [ - "You should apply a filter to this rule to exclude your enterprise nameservers that are expected to reach out to the Internet" + "DNS servers should be excluded from this rule as this is expected behavior for them. Endpoints usually query local DNS servers defined in their DHCP scopes but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it would tend to break intra-net name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations; in that case, such devices or networks can be excluded from this rule if this is expected behavior." ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], + "language": "kuery", "name": "DNS Activity to the Internet", "query": "destination.port:53 and (\n network.direction: outbound or (\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\\:\\:fb or 255.255.255.255 )\n )\n)\n", "references": [ "https://www.us-cert.gov/ncas/alerts/TA15-240A", "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf" ], - "risk_score": 50, + "risk_score": 47, "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 62064db7e1443..ef7b39412c808 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects events that may indicate the use of FTP network connections.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980's. It can be an efficient and normal procedure on your network to send and\nreceive files. Because it is common and efficient, adversaries will also often\nuse this protocol to exfiltrate data from your network or download new tools.\nAdditionally, FTP is a plaintext protocol which may expose your username and\npassword, if intercepted.\n", + "description": "This signal detects events that may indicate the use of FTP network connections to the Internet.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980's. It can be an efficient and normal procedure on your network to send and\nreceive files. Because it is common and efficient, adversaries will also often\nuse this protocol to ex-filtrate data from your network or download new tools.\nAdditionally, FTP is a plain-text protocol which may expose your user name and\npassword, if intercepted. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.\n", + "false_positives": [ + "FTP servers should be excluded from this rule as this is expected behavior for them. Some business work-flows may use FTP for data exchange. These work-flows often have expected characteristics such as users, sources and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP work-flow or business requirement is often suspicious. NEW NEW" + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "FTP (File Transfer Protocol) Activity to the Internet", "query": "network.transport: tcp and destination.port: (20 or 21) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 21, "rule_id": "87ec6396-9ac4-4706-bcf0-2ebb22002f43", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -36,11 +41,11 @@ "tactic": { "id": "TA0010", "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 4590fdf39d143..2700eae977482 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects events that use common ports for IRC to the Internet. IRC\nis a common protocol that can be used chat and file transfer. This protocol\nalso makes a good candidate for remote control of malware and data transfer in\nand out of a network.\n", + "description": "This signal detects events that use common ports for IRC to the Internet. IRC (Internet Relay Chat)\nis a common protocol that can be used chat and file transfer. This protocol\nalso makes a good candidate for remote control of malware and data transfer in\nand out of a network.\n", + "false_positives": [ + "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATted web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some legacy applications may use these ports but this is very uncommon and usually appears only in local traffic using private IPs which this rule does not match." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", "query": "network.transport: tcp and destination.port:(6667 or 6697) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 47, "rule_id": "c6474c34-4953-447a-903e-9fcb7b6661aa", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -40,7 +45,7 @@ }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index e74bed3463993..e87e296017a36 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,7 +1,9 @@ { "description": "This signal detects events that could be describing IPSEC NAT Traversal traffic.\nIPSEC is a VPN technology that allows one system to talk to another using\nencrypted tunnels. NAT Traversal enables these tunnels to communicate over\nthe Internet where one of the sides is behind a NAT router gateway. This may\nbe common on your network, but this technique is also used by threat actors\nto avoid detection.\n", + "false_positives": [ + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions such as when a application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded if desired." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "IPSEC NAT Traversal Port Activity", "query": "network.transport: udp and destination.port: 4500", - "risk_score": 25, + "risk_score": 21, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index e05e83ff0a1ee..59db16c7b7d3d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,7 +1,9 @@ { "description": "This signal detects events that may indicate use of SMTP on TCP port 26. This\nport is commonly used by several popular mail transfer agents to deconflict\nwith the default SMTP port 25. This port has also been used by a malware family\ncalled BadPatch for command and control of Windows systems.\n", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior for them." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -15,10 +17,13 @@ "https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" ], - "risk_score": 25, + "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json deleted file mode 100644 index 73a634a3a9f42..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Network - Port 8000 Activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Network - Port 8000 Activity", - "query": "destination.port:8000", - "risk_score": 50, - "rule_id": "9c5f8092-e3f7-4eda-b9d3-56eed28fb157", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index e193ab83d89fd..2b3d08a7c80d9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,7 +1,9 @@ { "description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you are\nrunning software like this on the Internet, you should consider placing it behind\na reverse proxy.\n", + "false_positives": [ + "Because this port is in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "TCP Port 8000 Activity to the Internet", "query": "network.transport: tcp and destination.port: 8000 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 21, "rule_id": "08d5d7e2-740f-44d8-aeda-e41f4263efaf", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index 7b527dbc09a44..b008ca2c2bee6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,7 +1,9 @@ { "description": "This signal detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", + "false_positives": [ + "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions such as when an application server with replies to a client which has used this port by coincidence. This is uncommon but such servers can be excluded if desired." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,30 @@ "language": "kuery", "name": "PPTP (Point to Point Tunneling Protocol) Activity", "query": "network.transport: tcp and destination.port: 1723", - "risk_score": 25, + "risk_score": 21, "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index 50f521ea91e2b..f7c6ffddcaf9e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,7 +1,9 @@ { "description": "This signal detects events that may describe network events of proxy use to the\nInternet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically\nenvironments will use an internal IP address for a proxy server. It can also\nbe used to circumvent network controls and detection mechanisms.\n", + "false_positives": [ + "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "Proxy Port Activity to the Internet", "query": "network.transport: tcp and destination.port: (3128 or 8080 or 1080) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 47, "rule_id": "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index edd4aa456974d..76528da19a57c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "false_positives": [ + "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,23 +13,56 @@ "language": "kuery", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 50, + "risk_score": 47, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", - "name": "Initial Access", + "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1190", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, "technique": [ { "id": "T1190", "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index c9f3f95ad1e07..55b9716af9346 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "false_positives": [ + "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "RDP (Remote Desktop Protocol) to the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 50, + "risk_score": 21, "rule_id": "e56993d2-759c-4120-984c-9ec9bb940fd5", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -25,7 +30,7 @@ }, "technique": [ { - "id": "T1190", + "id": "T1043", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1043/" } @@ -36,11 +41,11 @@ "tactic": { "id": "TA0010", "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 9f5a60f1743d7..ca6715ac48785 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,7 +1,6 @@ { - "description": "This signal detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +10,13 @@ "language": "kuery", "name": "RPC (Remote Procedure Call) from the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 50, + "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "high", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index b860158ef93d3..91db97dabdd46 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,7 +1,6 @@ { - "description": "This signal detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +10,13 @@ "language": "kuery", "name": "RPC (Remote Procedure Call) to the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 50, + "risk_score": 73, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "high", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -27,7 +29,7 @@ { "id": "T1190", "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index fa1f1aba66e83..ee47dff73db40 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,7 +1,6 @@ { - "description": "This signal detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targetted and exploited by threat actors as an initial access\nor backdoor vector or for data exfiltration.\n", + "description": "This signal detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targeted and exploited by threat actors as an initial access\nor back-door vector or for data exfiltration.\n", "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +10,13 @@ "language": "kuery", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "network.transport: tcp and destination.port: (139 or 445) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 50, + "risk_score": 73, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "high", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -27,7 +29,7 @@ { "id": "T1190", "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" + "reference": "https://attack.mitre.org/techniques/T1190/" } ] }, @@ -36,7 +38,7 @@ "tactic": { "id": "TA0010", "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index 85c8b3f05166c..68daf71d9992a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,7 +1,9 @@ { "description": "This signal detects events that may describe SMTP traffic from internal\nhosts to a host across the Internet. In an enterprise network, there is typically\na dedicate host that is internal that could perform this function. It is also\nfrequently abused by threat actors for command and control or data exfiltration.\n", + "false_positives": [ + "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and / or personal devices may send email traffic to remote Internet destinations; in that case, such devices or networks can be excluded from this rule if this is expected behavior." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "SMTP to the Internet", "query": "network.transport: tcp and destination.port: (25 or 465 or 587) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 50, + "risk_score": 21, "rule_id": "67a9beba-830d-4035-bfe8-40b7e28f8ac4", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -36,11 +41,11 @@ "tactic": { "id": "TA0010", "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "reference": "https://attack.mitre.org/tactics/TA0010/" }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index e0998029081d3..df779d47246a5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,7 +1,9 @@ { "description": "This signal detects events that may describe database traffic\n(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases\nshould almost never be directly exposed to the Internet, as they are\nfrequently targeted by threat actors to gain initial access to network resources.\n", + "false_positives": [ + "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,30 @@ "language": "kuery", "name": "SQL Traffic to the Internet", "query": "network.transport: tcp and destination.port: (1433 or 1521 or 3336 or 5432) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 50, + "risk_score": 47, "rule_id": "139c7458-566a-410c-a5cd-f80238d6a5cd", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index 2428909491584..6c278700450b1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "false_positives": [ + "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,38 +13,56 @@ "language": "kuery", "name": "SSH (Secure Shell) from the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 47, "rule_id": "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" + "id": "T1043", + "name": "Commonly Used Port", + "reference": "https://attack.mitre.org/techniques/T1043/" } ] }, { "framework": "MITRE ATT&CK", "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" }, "technique": [ { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index cf77f9363f525..63f2dbc8a34f1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "false_positives": [ + "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "SSH (Secure Shell) to the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 21, "rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4", "severity": "low", - "tags": ["Elastic", "network"], + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index a9a364b1b14bd..0d28f0ea53d9a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embeded\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targetted and exploited by threat actors as an\ninitial access or backdoor vector. As a plaintext protocol, it may also expose\n", + "description": "This signal detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embed ed\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targeted and exploited by threat actors as an\ninitial access or back-door vector. As a plain-text protocol, it may also expose\n", + "false_positives": [ + "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,38 +13,56 @@ "language": "kuery", "name": "Telnet Port Activity", "query": "network.transport: tcp and destination.port: 23", - "risk_score": 50, + "risk_score": 47, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", - "name": "Initial Access", + "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { - "id": "T1190", - "name": "Exploit Public-Facing Application", + "id": "T1043", + "name": "Commonly Used Port", "reference": "https://attack.mitre.org/techniques/T1043/" } ] }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", - "name": "Command and Control", + "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 811a81c0e6754..80893e9404f02 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's indentity and avoid detection.\n", + "description": "This signal detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's identity and avoid detection.\n", + "false_positives": [ + "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "Tor Activity to the Internet", "query": "network.transport: tcp and destination.port: (9001 or 9030) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 47, "rule_id": "7d2c38d7-ede7-4bdf-b140-445906e6c540", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -30,6 +35,21 @@ "reference": "https://attack.mitre.org/techniques/T1043/" } ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1188", + "name": "Multi-hop Proxy", + "reference": "https://attack.mitre.org/techniques/T1188/" + } + ] } ], "type": "query", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index d46ee76ba72b2..e64138dd053fa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "false_positives": [ + "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,38 +13,41 @@ "language": "kuery", "name": "VNC (Virtual Network Computing) from the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 73, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "high", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { - "id": "TA0001", - "name": "Initial Access", + "id": "TA0011", + "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/" }, "technique": [ { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" } ] }, { "framework": "MITRE ATT&CK", "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" }, "technique": [ { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index d820cedc335ab..8c43419c3ead5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,7 +1,9 @@ { - "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targetted and\nexploited by threat actors as an initial access or backdoor vector.\n", + "description": "This signal detects network events that may indicate the use of VNC traffic\nto the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "false_positives": [ + "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + ], "index": [ - "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", @@ -11,10 +13,13 @@ "language": "kuery", "name": "VNC (Virtual Network Computing) to the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", - "risk_score": 25, + "risk_score": 47, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", - "severity": "low", - "tags": ["Elastic", "network"], + "severity": "medium", + "tags": [ + "Elastic", + "network" + ], "threat": [ { "framework": "MITRE ATT&CK", @@ -25,9 +30,9 @@ }, "technique": [ { - "id": "T1043", - "name": "Commonly Used Port", - "reference": "https://attack.mitre.org/techniques/T1043/" + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 9d787d3ab738f..87a3119ac780d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -3,14 +3,6 @@ "false_positives": [ "Some normal applications and scripts may contain no user agent. Most legitmate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], "filters": [ { "$state": { @@ -29,15 +21,23 @@ } } ], + "index": [ + "apm-*-transaction*" + ], "language": "kuery", "max_signals": 33, "name": "Web Application Suspicious Activity: No User Agent", "query": "url.path: *", - "references": ["https://en.wikipedia.org/wiki/User_agent"], - "risk_score": 50, + "references": [ + "https://en.wikipedia.org/wiki/User_agent" + ], + "risk_score": 47, "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", - "severity": "low", - "tags": ["Elastic", "apm"], + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index c92b801995837..72d85dcbffc06 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -4,21 +4,21 @@ "This signal does not indicate that a SQL injection attack occured, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" + "apm-*-transaction*" ], "language": "kuery", "name": "Web Application Suspicious Activity: sqlmap User Agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", - "references": ["http://sqlmap.org/"], - "risk_score": 50, + "references": [ + "http://sqlmap.org/" + ], + "risk_score": 47, "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", - "severity": "low", - "tags": ["Elastic", "apm"], + "severity": "medium", + "tags": [ + "Elastic", + "APM" + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json index 91abe1368b011..9b3784345b013 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json @@ -1,20 +1,51 @@ { - "description": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", + "description": "Adversaries may abuse the Background Intelligent Transfer Service (BITS) to download, execute, or clean up after performing a malicious action.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet", + "max_signals": 33, + "name": "Background Intelligent Transfer Service (BITS) connecting to the Internet", "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 21, "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json deleted file mode 100644 index f3e62405d6e18..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_burp_ce_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Burp CE activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Burp CE activity", - "query": "process.name:BurpSuiteCommunity.exe", - "risk_score": 50, - "rule_id": "0f09845b-2ec8-4770-8155-7df3d4e402cc", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json index 451a1ad4942de..0a960fc427d7b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json @@ -1,20 +1,36 @@ { - "description": "Windows: Certutil Connecting to the Internet", + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows: Certutil Connecting to the Internet", + "max_signals": 33, + "name": "Certutil Network Connection", "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 21, "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Remote File Copy", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index 6a2a9213a94a9..87dbd4cd70777 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -1,20 +1,54 @@ { - "description": "Windows: Command Prompt Connecting to the Internet", + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows: Command Prompt Connecting to the Internet", + "max_signals": 33, + "name": "Command Prompt Network Connection", "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Remote File Copy", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json index 92edd71a665dd..a214ab4544b97 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json @@ -1,20 +1,36 @@ { - "description": "Command shell started by Internet Explorer", + "description": "Identifies a suspicious parent child process relationship with cmd.exe spawning form Internet Explorer.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Command shell started by Internet Explorer", + "max_signals": 33, + "name": "Internet Explorer spawning cmd.exe", "query": "process.parent.name:iexplore.exe and process.name:cmd.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index 663b2485fab93..187cc9d344902 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -1,20 +1,51 @@ { - "description": "Command shell started by Powershell", + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Command shell started by Powershell", + "max_signals": 33, + "name": "PowerShell spawning cmd.exe", "query": "process.parent.name:powershell.exe and process.name:cmd.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1086", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1086/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index 73ab27a131e3d..81114bf8b8766 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -1,20 +1,36 @@ { - "description": "Command shell started by Svchost", + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Command shell started by Svchost", + "max_signals": 33, + "name": "Svchost spawning cmd.exe", "query": "process.parent.name:svchost.exe and process.name:cmd.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json deleted file mode 100644 index 9516b80412582..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_commands.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Credential Dumping Commands", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Credential Dumping Commands", - "query": "event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)", - "risk_score": 50, - "rule_id": "66885745-ea38-432c-9edb-599b943948d4", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json deleted file mode 100644 index 06a9de8f20720..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_imageload.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Credential Dumping via ImageLoad", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Credential Dumping via ImageLoad", - "query": "event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)", - "risk_score": 50, - "rule_id": "f872647c-d070-4b1c-afcc-055f081d9205", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json deleted file mode 100644 index a19646d2f83cf..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_via_registry_save.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Credential Dumping via Registry Save", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Credential Dumping via Registry Save", - "query": "event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)", - "risk_score": 50, - "rule_id": "9f6fb56f-4bbd-404e-b955-49dfba7c0e68", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json deleted file mode 100644 index 9be27cbec023f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_data_compression_using_powershell.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Data Compression Using Powershell", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Data Compression Using Powershell", - "query": "event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)", - "risk_score": 50, - "rule_id": "bc913943-e1f9-4bf5-a593-caca7c2eb0c3", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json deleted file mode 100644 index a4126a9b45ec9..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_decoding_using_certutil.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Defense Evasion - Decoding Using Certutil", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Defense Evasion - Decoding Using Certutil", - "query": "event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)", - "risk_score": 50, - "rule_id": "d9642bf2-87d0-45c2-8781-2bd2017cdbb8", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json deleted file mode 100644 index edba96cbcc37b..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_or_persistence_via_hidden_files.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Defense Evasion or Persistence via Hidden Files", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Defense Evasion or Persistence via Hidden Files", - "query": "event.code:1 and process.name:attrib.exe and (process.args:\"+h\" or process.args:\"+s\")", - "risk_score": 50, - "rule_id": "340a0063-baba-447b-8396-26a5cc1eb684", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index 56c2a3ecd7eaf..7c999c1fc1e03 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -1,20 +1,37 @@ { - "description": "Windows Defense evasion via Filter Manager", + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Defense evasion via Filter Manager", + "max_signals": 33, + "name": "Potential Evasion via Filter Manager", "query": "event.code:1 and process.name:fltmc.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "D-SA", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json deleted file mode 100644 index 2f25c7282a87d..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_windows_event_log_tools.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Defense Evasion via Windows Event Log Tools", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Defense Evasion via Windows Event Log Tools", - "query": "event.code:1 and process.name:wevtutil.exe", - "risk_score": 50, - "rule_id": "07979a67-ab4d-460f-9ff3-bf1352de6762", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 079d33bf0f676..62c8942dda9c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -1,20 +1,54 @@ { - "description": "Windows Execution via Compiled HTML File", + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Execution via Compiled HTML File", + "max_signals": 33, + "name": "Process Activity via Compiled HTML File", "query": "event.code:1 and process.name:hh.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json index 9c8a4f4b47dce..657487232fe81 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json @@ -1,20 +1,37 @@ { - "description": "Windows Execution via Connection Manager", + "description": "Various Windows utilities may be used to execute commands, possibly without invoking cmd.exe, including the Program Compatibility Assistant (pcalua.exe) or forfiles.exe.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Execution via Connection Manager", + "max_signals": 33, + "name": "Indirect Command Execution", "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", - "risk_score": 50, + "risk_score": 21, "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "D-SA", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json deleted file mode 100644 index d986ccbb865f8..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_microsoft_html_application_hta.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Execution via Microsoft HTML Application (HTA)", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Execution via Microsoft HTML Application (HTA)", - "query": "event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)", - "risk_score": 50, - "rule_id": "b007cc82-c522-48d1-b7a7-53f63c50c494", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index 26e99cbb59e48..80d91fa515342 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -1,20 +1,40 @@ { - "description": "Windows Execution via .NET COM Assemblies", + "description": "Adversaries can use Regsvcs.exe and Regasm.exe to proxy execution of code through a trusted Windows utility.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Execution via .NET COM Assemblies", + "max_signals": 33, + "name": "Execution via Regsvcs/Regasm", "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", - "risk_score": 50, + "risk_score": 21, "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "D-SA", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1121", + "name": "Regsvcs/Regasm", + "reference": "https://attack.mitre.org/techniques/T1121/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index 06d4a075c4e6b..6b2c54d527963 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -1,20 +1,51 @@ { - "description": "Windows Execution via Regsvr32", + "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This may indicate a malicious scriptlet is being executed in the target process.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Execution via Regsvr32", + "max_signals": 33, + "name": "Suspicious Script Object Execution", "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", - "risk_score": 50, + "risk_score": 21, "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1064", + "name": "Scripting", + "reference": "https://attack.mitre.org/techniques/T1064/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1064", + "name": "Scripting", + "reference": "https://attack.mitre.org/techniques/T1064/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index bc3ebf38181a0..e722d311b86c7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -1,20 +1,55 @@ { - "description": "Windows Execution via Trusted Developer Utilities", + "description": "Identifies possibly suspicious activity using trusted Windows developer activity.", + "false_positives": [ + "These programs may be used by Windows developers but use by non-engineers is unusual." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Execution via Trusted Developer Utilities", + "max_signals": 33, + "name": "Trusted Developer Application Usage", "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", - "risk_score": 50, + "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "D-SA", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index cec9fe4a4aebe..2b4d774281b84 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -1,20 +1,51 @@ { - "description": "Windows: HTML Help executable Program Connecting to the Internet", + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows: HTML Help executable Program Connecting to the Internet", + "max_signals": 33, + "name": "Network Connection via Compiled HTML File", "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1223", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1223/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json deleted file mode 100644 index 3e80b58377af6..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_image_load_from_a_temp_directory.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "description": "Windows image load from a temp directory", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.action", - "negate": false, - "params": { - "query": "Image loaded (rule: ImageLoad)" - }, - "type": "phrase", - "value": "Image loaded (rule: ImageLoad)" - }, - "query": { - "match": { - "event.action": { - "query": "Image loaded (rule: ImageLoad)", - "type": "phrase" - } - } - } - } - ], - "language": "kuery", - "name": "Windows image load from a temp directory", - "query": "file.path:Temp", - "risk_score": 50, - "rule_id": "f23e4cc7-6825-4a28-b27a-e67437a9a806", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json deleted file mode 100644 index a7f22358a11d9..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_indirect_command_execution.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Indirect Command Execution", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Indirect Command Execution", - "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", - "risk_score": 50, - "rule_id": "ff969842-c573-4e69-8e12-02fb303290f2", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json deleted file mode 100644 index 8aae9dc83a1cd..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_iodine_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Iodine activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Iodine activity", - "query": "event.code: 1 and process.name:iodine.exe or process.name:iodined.exe", - "risk_score": 50, - "rule_id": "fcbbf0b2-99c5-4c7f-8411-dc9ee392e43f", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json deleted file mode 100644 index da525a8573264..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_management_instrumentation_wmi_execution.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Management Instrumentation (WMI) Execution", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Management Instrumentation (WMI) Execution", - "query": "event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )", - "risk_score": 50, - "rule_id": "cec5eb81-6e01-40e5-a1bf-bf175cce4eb4", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json deleted file mode 100644 index 2f7a8dbee7c80..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_microsoft_html_application_hta_connecting_to_the_internet.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows: Microsoft HTML Application (HTA) Connecting to the Internet", - "query": "process.name:mshta.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "b084514b-e8ba-4bc4-bc2b-50fe145a4215", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json deleted file mode 100644 index 64641bb539cb9..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_mimikatz_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Mimikatz activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Mimikatz activity", - "query": "event.code: 1 and process.name:mimikatz.exe", - "risk_score": 50, - "rule_id": "5346463d-062f-419d-88ff-7a5e97875210", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index bb08cd4023e6a..8a4cb75588bff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -1,20 +1,51 @@ { - "description": "Windows: Misc LOLBin Connecting to the Internet", + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows: Misc LOLBin Connecting to the Internet", + "max_signals": 33, + "name": "Network Connection via Signed Binary", "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json index fce37db4fae3d..5b3257daec8fb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json @@ -1,20 +1,36 @@ { - "description": "Windows net command activity by the SYSTEM account", + "description": "Identifies attempts to create new users via the SYSTEM account.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows net command activity by the SYSTEM account", + "max_signals": 33, + "name": "Net command via SYSTEM account", "query": "process.name: (net.exe or net1.exe) and user.name:SYSTEM", - "risk_score": 50, + "risk_score": 21, "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json deleted file mode 100644 index 555bb4afb0c10..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_user_command_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows net user command activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows net user command activity", - "query": "process.name:net.exe and process.args:user and event.code:1", - "risk_score": 50, - "rule_id": "b039a69d-7fba-4c84-8029-57ac12548a15", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json deleted file mode 100644 index 288bc6dd2375b..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Netcat activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Netcat activity", - "query": "process.name:ncat.exe and event.code:1", - "risk_score": 50, - "rule_id": "e2437364-0c89-4e65-a34b-782cfbb7690b", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json deleted file mode 100644 index a533cd36ffdcf..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_netcat_network_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Netcat network activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Netcat network activity", - "query": "process.name:ncat.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", - "risk_score": 50, - "rule_id": "ebdc4b6f-7fdb-4c21-bbd6-59e1ed11024a", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json deleted file mode 100644 index 173e5191d9e65..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_network_anomalous_windows_process_using_https_ports.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Network - Anomalous Windows Process Using HTTP/S Ports", - "query": "(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:chrome.exe and not process.name:explorer.exe and not process.name:filebeat.exe and not process.name:firefox.exe and not process.name:iexplore.exe and not process.name:jusched.exe and not process.name:MpCmdRun.exe and not process.name:MpSigStub.exe and not process.name:msfeedssync.exe and not process.name:packetbeat.exe and not process.name:powershell.exe and not process.name:procexp64.exe and not process.name:svchost.exe and not process.name:taskhostw.exe and not process.name:winlogbeat.exe", - "risk_score": 50, - "rule_id": "b486fa9e-e6c7-44a1-b07d-7d5f07f21ce1", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json deleted file mode 100644 index dc231e5edce1e..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows nmap activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows nmap activity", - "query": "process.name:nmap.exe and event.code:1", - "risk_score": 50, - "rule_id": "5a4b2a98-31a6-4852-b224-d63aeb9e172d", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json deleted file mode 100644 index ccd49169e6497..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_nmap_scan_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows nmap scan activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows nmap scan activity", - "query": "process.name:nmap.exe and event.action:\"Network connection detected (rule: NetworkConnect)\"", - "risk_score": 50, - "rule_id": "54413985-a3da-4f45-b238-75afb65a1bae", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json deleted file mode 100644 index f7a331ca01474..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_payload_obfuscation_via_certutil.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Payload Obfuscation via Certutil", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Payload Obfuscation via Certutil", - "query": "event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)", - "risk_score": 50, - "rule_id": "ce7c270c-c69b-47dd-8c21-60a35e92f372", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json deleted file mode 100644 index 379cab0f07438..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_or_priv_escalation_via_hooking.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Persistence or Priv Escalation via Hooking", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Persistence or Priv Escalation via Hooking", - "query": "event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*", - "risk_score": 50, - "rule_id": "015f070d-cf70-437c-99d1-472e31d36b03", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index ca5daf772a22e..2c10382cdbc7c 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -1,20 +1,52 @@ { - "description": "Windows Persistence via Application Shimming", + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Persistence via Application Shimming", + "max_signals": 33, + "name": "Potential Application Shimming via Sdbinst", "query": "event.code:1 and process.name:sdbinst.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "D-SA", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1138", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1138/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1138", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1138/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json deleted file mode 100644 index 4c6515f33fad0..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_bits_jobs.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Persistence via BITS Jobs", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Persistence via BITS Jobs", - "query": "event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)", - "risk_score": 50, - "rule_id": "7904fb20-172c-43fb-83e4-bfe27e3c702c", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json deleted file mode 100644 index 01b56a1ecd1e0..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_modification_of_existing_service.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Persistence via Modification of Existing Service", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Persistence via Modification of Existing Service", - "query": "event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)", - "risk_score": 50, - "rule_id": "3bb04809-84ab-4487-bd99-ccc58675bd40", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json deleted file mode 100644 index 50b31aa7033eb..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_netshell_helper_dll.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Persistence via Netshell Helper DLL", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Persistence via Netshell Helper DLL", - "query": "event.code:1 and process.name:netsh.exe and process.args:*helper*", - "risk_score": 50, - "rule_id": "d7c2561d-2758-46ad-b5a9-247efb9eea21", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json deleted file mode 100644 index 5198f85b999ac..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_powershell_connecting_to_the_internet.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows: Powershell Connecting to the Internet", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows: Powershell Connecting to the Internet", - "query": "process.name:powershell.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "a8cfa646-e4d8-48b5-884e-6204ba77fc8d", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index f24460373f55d..23d05aaf526e3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -1,20 +1,52 @@ { - "description": "Windows Priv Escalation via Accessibility Features", + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Priv Escalation via Accessibility Features", + "max_signals": 33, + "name": "Potential Modification of Accessibility Binaries", "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", - "risk_score": 50, + "risk_score": 21, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "D-SA", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1015", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1015/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1015", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1015/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index fd2bfcf216bf3..5f5215ddff8c6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -1,20 +1,40 @@ { - "description": "Windows Process Discovery via Tasklist Command", + "description": "Adversaries may attempt to get information about running processes on a system.", + "false_positives": [ + "Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Process Discovery via Tasklist Command", + "max_signals": 33, + "name": "Process Discovery via Tasklist", "query": "event.code:1 and process.name:tasklist.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "cc16f774-59f9-462d-8b98-d27ccd4519ec", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "D-SA", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json index 1e14de81b7cb2..6d6343330a7ff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json @@ -1,20 +1,39 @@ { - "description": "Process Execution via WMI", + "description": "Identifies use of scrcons.exe, which is a Windows Management Instrumentation (WMI) Standard Event Consumer scripting application.", + "false_positives": [ + " Windows Management Instrumentation (WMI) processes can be used for an array of administrative capabilities. It's important to baseline your environment to determine any abnormal use of this tool." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Process Execution via WMI", + "max_signals": 33, + "name": "Execution via Scrcons", "query": "process.name:scrcons.exe", - "risk_score": 50, + "risk_score": 21, "rule_id": "7e6cd4b9-6346-4683-b3e6-6a3e66f3208f", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json deleted file mode 100644 index 973a7df57f712..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_acrobat_reader_possible_payload.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Process started by Acrobat reader - possible payload", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process started by Acrobat reader - possible payload", - "query": "process.parent.name:AcroRd32.exe and event.code:1", - "risk_score": 50, - "rule_id": "b6422896-b6e3-45c3-9d9e-4eccb2a25270", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json deleted file mode 100644 index cb7b234c21f8c..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_ms_office_program_possible_payload.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Process started by MS Office program - possible payload", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Process started by MS Office program - possible payload", - "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE and event.code:1", - "risk_score": 50, - "rule_id": "838dcec6-ce9a-4cdd-9ca8-f6512cf6d559", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json deleted file mode 100644 index c684be0732064..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_started_by_the_java_runtime.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows process started by the Java runtime", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows process started by the Java runtime", - "query": "process.parent.name:javaw.exe and event.code:1", - "risk_score": 50, - "rule_id": "159168a1-b1d0-4e5c-ad72-c1e9ae2edec2", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json deleted file mode 100644 index e4c91b6f89cd4..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_psexec_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "PSexec activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "PSexec activity", - "query": "process.name:PsExec.exe or process.name:PsExec64.exe", - "risk_score": 50, - "rule_id": "3e61ab8b-0f39-4d2e-ab64-332f0d0b3ad7", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index a106eda988e94..b35e016be15d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -1,20 +1,54 @@ { - "description": "Windows: Register Server Program Connecting to the Internet", + "description": "Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows: Register Server Program Connecting to the Internet", + "max_signals": 33, + "name": "Network Connection via Regsvr", "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, + "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1117", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1117/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1117", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1117/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json deleted file mode 100644 index 49642d271d4ea..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_local.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Registry Query, Local", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Registry Query, Local", - "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", - "risk_score": 50, - "rule_id": "b9074c74-6d23-4b07-927e-cc18b318a088", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json deleted file mode 100644 index 884deb7645a67..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_registry_query_network.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Registry Query, Network", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Registry Query, Network", - "query": "event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*", - "risk_score": 50, - "rule_id": "f5412e37-981e-4d37-a1b2-eddaf797445a", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json deleted file mode 100644 index 08d96ad741502..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_remote_management_execution.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Remote Management Execution", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Remote Management Execution", - "query": "(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)", - "risk_score": 50, - "rule_id": "ced66221-3e07-40ee-8588-5f107e7d50d8", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json deleted file mode 100644 index 56f5b71ceb510..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_scheduled_task_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Scheduled Task Activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Scheduled Task Activity", - "query": "event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \"C:\\Windows\\System32\\services.exe\" )", - "risk_score": 50, - "rule_id": "a1abd54d-3021-4f21-b2d1-0c6bc5c4051f", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json deleted file mode 100644 index a700ac0a48bc2..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_script_interpreter_connecting_to_the_internet.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows: Script Interpreter Connecting to the Internet", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows: Script Interpreter Connecting to the Internet", - "query": "(process.name:cscript.exe or process.name:wscript.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 50, - "rule_id": "2cc4597c-b0c9-4481-b1a6-e6c05cfc9f02", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index 1dc62c7b5db42..cf5135cc490eb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -1,20 +1,54 @@ { - "description": "Windows Signed Binary Proxy Execution", + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Signed Binary Proxy Execution", + "max_signals": 33, + "name": "Execution via Signed Binary", "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", - "risk_score": 50, + "risk_score": 21, "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json index 717d99ee7901c..117a40d0fdcee 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json @@ -1,20 +1,54 @@ { - "description": "Windows Signed Binary Proxy Execution Download", + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows Signed Binary Proxy Execution Download", + "max_signals": 33, + "name": "Potential Download via Signed Binary", "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", - "risk_score": 50, + "risk_score": 21, "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1218", + "name": "Signed Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json index 82733cbb6b21c..3691c59d784fb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -1,20 +1,54 @@ { - "description": "Suspicious process started by a script", + "description": "Identifies a suspicious process being spawned from a script interpreter, which could be indicative of a potential phishing attack.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Suspicious process started by a script", + "max_signals": 33, + "name": "Suspicious Process Spawning from Script Interpreter", "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1", - "risk_score": 50, + "risk_score": 21, "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1064", + "name": "Scripting", + "reference": "https://attack.mitre.org/techniques/T1064/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1064", + "name": "Scripting", + "reference": "https://attack.mitre.org/techniques/T1064/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index 768cd65c5e4f5..3618d304dc32a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -1,20 +1,39 @@ { - "description": "Windows whoami command activity", + "description": "Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", "winlogbeat-*" ], "language": "kuery", - "name": "Windows whoami command activity", + "max_signals": 33, + "name": "Whoami Process Activity", "query": "process.name:whoami.exe and event.code:1", - "risk_score": 50, + "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "severity": "low", - "tags": ["Elastic"], + "tags": [ + "Elastic", + "Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], "type": "query", "version": 1 } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json deleted file mode 100644 index 4f33e95cfe2e9..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_windump_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "WinDump activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "WinDump activity", - "query": "process.name:WinDump.exe", - "risk_score": 50, - "rule_id": "a342cfcb-8420-46a4-8d85-53edc631e0d6", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json deleted file mode 100644 index 72db4aed03c88..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_wireshark_activity.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description": "Windows Wireshark activity", - "index": [ - "apm-*-transaction*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "packetbeat-*", - "winlogbeat-*" - ], - "language": "kuery", - "name": "Windows Wireshark activity", - "query": "process.name:wireshark.exe", - "risk_score": 50, - "rule_id": "9af965ed-d501-4541-97f6-5f8d2a39737b", - "severity": "low", - "tags": ["Elastic"], - "type": "query", - "version": 1 -}