From fac68730548685d87364db696ae6c3e16fc94f43 Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Tue, 4 Feb 2020 18:19:36 -0700 Subject: [PATCH] [SIEM][Detection Engine] Final final rule changes (#56806) ## Summary * Final, final, Rule changes ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ ~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~ ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ ~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ --- NOTICE.txt | 2 - .../403_response_to_a_post.json | 6 +- .../405_response_method_not_allowed.json | 6 +- ..._security_adversary_behavior_detected.json | 6 +- ...dpoint_security_cred_dumping_detected.json | 8 +- ...point_security_cred_dumping_prevented.json | 8 +- ...t_security_cred_manipulation_detected.json | 8 +- ..._security_cred_manipulation_prevented.json | 11 +- ...ic_endpoint_security_exploit_detected.json | 6 +- ...c_endpoint_security_exploit_prevented.json | 6 +- ...ic_endpoint_security_malware_detected.json | 6 +- ...c_endpoint_security_malware_prevented.json | 6 +- ...nt_security_permission_theft_detected.json | 6 +- ...t_security_permission_theft_prevented.json | 6 +- ...t_security_process_injection_detected.json | 6 +- ..._security_process_injection_prevented.json | 6 +- ...endpoint_security_ransomware_detected.json | 6 +- ...ndpoint_security_ransomware_prevented.json | 6 +- ...den_file_attribute_with_via_attribexe.json | 4 +- .../eql_adobe_hijack_persistence.json | 2 +- .../eql_audio_capture_via_powershell.json | 36 ---- .../eql_audio_capture_via_soundrecorder.json | 36 ---- .../eql_bypass_uac_event_viewer.json | 36 ---- .../eql_bypass_uac_via_cmstp.json | 36 ---- .../eql_bypass_uac_via_sdclt.json | 36 ---- .../eql_clearing_windows_event_logs.json | 4 +- ...delete_volume_usn_journal_with_fsutil.json | 2 +- ...deleting_backup_catalogs_with_wbadmin.json | 2 +- .../eql_direct_outbound_smb_connection.json | 2 +- ...ble_windows_firewall_rules_with_netsh.json | 2 +- .../eql_dll_search_order_hijack.json | 51 ----- ...coding_or_decoding_files_via_certutil.json | 2 +- .../eql_local_scheduled_task_commands.json | 2 +- .../eql_local_service_commands.json | 2 +- ...ql_modification_of_boot_configuration.json | 36 ---- ...ql_msbuild_making_network_connections.json | 4 +- .../eql_mshta_making_network_connections.json | 4 +- .../eql_msxsl_making_network_connections.json | 36 ---- .../eql_psexec_lateral_movement_command.json | 4 +- ...ql_suspicious_ms_office_child_process.json | 2 +- ...l_suspicious_ms_outlook_child_process.json | 2 +- ...l_suspicious_pdf_reader_child_process.json | 36 ---- .../eql_system_shells_via_services.json | 2 +- ...usual_network_connection_via_rundll32.json | 2 +- .../eql_unusual_parentchild_relationship.json | 2 +- ...ql_unusual_process_network_connection.json | 2 +- .../eql_user_account_creation.json | 2 +- ...eql_user_added_to_administrator_group.json | 36 ---- ...ume_shadow_copy_deletion_via_vssadmin.json | 2 +- ..._volume_shadow_copy_deletion_via_wmic.json | 4 +- ...l_windows_script_executing_powershell.json | 2 +- .../eql_wmic_command_lateral_movement.json | 39 ---- .../rules/prepackaged_rules/index.ts | 186 +++++++----------- .../linux_hping_activity.json | 6 +- .../linux_iodine_activity.json | 4 +- .../linux_kernel_module_activity.json | 4 +- .../linux_ldso_process_activity.json | 22 --- .../linux_mknod_activity.json | 6 +- .../linux_netcat_network_connection.json | 6 +- .../linux_nmap_activity.json | 6 +- .../linux_nping_activity.json | 6 +- ...nux_process_started_in_temp_directory.json | 4 +- .../linux_shell_activity_by_web_server.json | 4 +- .../linux_socat_activity.json | 6 +- .../linux_strace_activity.json | 2 +- .../linux_tcpdump_activity.json | 4 +- .../linux_whoami_commmand.json | 4 +- .../network_dns_directly_to_the_internet.json | 8 +- ...fer_protocol_activity_to_the_internet.json | 8 +- ...hat_protocol_activity_to_the_internet.json | 8 +- .../network_nat_traversal_port_activity.json | 8 +- .../network_port_26_activity.json | 10 +- ...rk_port_8000_activity_to_the_internet.json | 6 +- ..._to_point_tunneling_protocol_activity.json | 10 +- ...k_proxy_port_activity_to_the_internet.json | 8 +- ...te_desktop_protocol_from_the_internet.json | 8 +- ...mote_desktop_protocol_to_the_internet.json | 8 +- ...mote_procedure_call_from_the_internet.json | 6 +- ...remote_procedure_call_to_the_internet.json | 6 +- ...file_sharing_activity_to_the_internet.json | 6 +- .../network_smtp_to_the_internet.json | 8 +- ..._server_port_activity_to_the_internet.json | 8 +- ...rk_ssh_secure_shell_from_the_internet.json | 8 +- ...work_ssh_secure_shell_to_the_internet.json | 8 +- .../network_telnet_port_activity.json | 8 +- .../network_tor_activity_to_the_internet.json | 8 +- ...l_network_computing_from_the_internet.json | 8 +- ...ual_network_computing_to_the_internet.json | 8 +- .../rules/prepackaged_rules/notice.ts | 2 - .../prepackaged_rules/null_user_agent.json | 4 +- .../prepackaged_rules/sqlmap_user_agent.json | 5 +- ...rvice_bits_connecting_to_the_internet.json | 51 ----- ...s_certutil_connecting_to_the_internet.json | 36 ---- ...and_prompt_connecting_to_the_internet.json | 2 +- ...nd_shell_started_by_internet_explorer.json | 36 ---- ...s_command_shell_started_by_powershell.json | 4 +- ...dows_command_shell_started_by_svchost.json | 4 +- ...ws_defense_evasion_via_filter_manager.json | 5 +- ...dows_execution_via_compiled_html_file.json | 2 +- ...dows_execution_via_connection_manager.json | 37 ---- ...dows_execution_via_net_com_assemblies.json | 40 ---- .../windows_execution_via_regsvr32.json | 2 +- ...ution_via_trusted_developer_utilities.json | 3 +- ...le_program_connecting_to_the_internet.json | 2 +- ...isc_lolbin_connecting_to_the_internet.json | 2 +- ...ommand_activity_by_the_system_account.json | 36 ---- ..._persistence_via_application_shimming.json | 3 +- ...escalation_via_accessibility_features.json | 3 +- ...rocess_discovery_via_tasklist_command.json | 3 +- .../windows_process_execution_via_wmi.json | 39 ---- ...er_program_connecting_to_the_internet.json | 2 +- ...windows_signed_binary_proxy_execution.json | 2 +- ...igned_binary_proxy_execution_download.json | 54 ----- ...uspicious_process_started_by_a_script.json | 4 +- .../windows_whoami_command_activity.json | 2 +- 115 files changed, 312 insertions(+), 1094 deletions(-) delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json diff --git a/NOTICE.txt b/NOTICE.txt index e0c5d94eff6b3..69be6db72cff2 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -162,8 +162,6 @@ which is available under a "MIT" license. The files based on this license are: - windows_priv_escalation_via_accessibility_features.json - windows_persistence_via_application_shimming.json - windows_execution_via_trusted_developer_utilities.json -- windows_execution_via_net_com_assemblies.json -- windows_execution_via_connection_manager.json MIT License diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index c685d96cdf57b..fd46a09d4ced0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -1,13 +1,13 @@ { - "description": "A POST request to web application returned a 403 response which indicates the web application declined to process the request because the action requested was disallowed.", + "description": "A POST request to web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed", "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." ], "index": [ "apm-*-transaction*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Web Application Suspicious Activity: POST Request Declined", "query": "http.response.status_code:403 and http.request.method:post", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index 64264452d468b..a6235c889902b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -1,13 +1,13 @@ { - "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method was not allowed for the resource.", + "description": "A request to web application returned a 405 response which indicates the web application declined to process the request because the HTTP method is not allowed for the resource", "false_positives": [ - "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." + "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." ], "index": [ "apm-*-transaction*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Web Application Suspicious Activity: Unauthorized Method", "query": "http.response.status_code:405", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json index 56d142fdf3ef8..397db1367f402 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Adversary behavior detected.", + "description": "Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Adversary Behavior - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:rules_engine_event", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json index 6805696ce6bc9..fdd875e95b3d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_detected.json @@ -1,11 +1,13 @@ { - "description": "Elastic Endpoint Security Alert - Credential dumping detected.", + "description": "Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, - "name": "Cred Dumping - Detected - Elastic Endpoint", + "max_signals": 100, + "name": "Credential Dumping - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:detection", "risk_score": 73, "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json index 68c0f5cad8252..8ed63c55ef213 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json @@ -1,11 +1,13 @@ { - "description": "Elastic Endpoint Security Alert - Credential dumping prevented.", + "description": "Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, - "name": "Cred Dumping - Prevented - Elastic Endpoint", + "max_signals": 100, + "name": "Credential Dumping - Prevented - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:cred_theft_event and endgame.metadata.type:prevention", "risk_score": 47, "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json index 0d0d9c71a2ec1..98c4e5341d9e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json @@ -1,11 +1,13 @@ { - "description": "Elastic Endpoint Security Alert - Credential manipulation detected.", + "description": "Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, - "name": "Cred Manipulation - Detected - Elastic Endpoint", + "max_signals": 100, + "name": "Credential Manipulation - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:detection", "risk_score": 73, "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json index df49c80e3097b..4234e3d955794 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json @@ -1,17 +1,20 @@ { - "description": "Elastic Endpoint Security Alert - Credential manipulation prevented.", + "description": "Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, - "name": "Cred Manipulation - Prevented - Elastic Endpoint", + "max_signals": 100, + "name": "Credential Manipulation - Prevented - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:token_manipulation_event and endgame.metadata.type:prevention", "risk_score": 47, "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", "severity": "medium", "tags": [ - "Elastic" + "Elastic", + "Endpoint" ], "type": "query", "version": 1 diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json index 9c3896a70b3a0..9971075d7e617 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Exploit detected.", + "description": "Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Exploit - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:detection", "risk_score": 73, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json index 4632ae6a1487b..233552fc1de13 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Exploit prevented.", + "description": "Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Exploit - Prevented - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:exploit_event and endgame.metadata.type:prevention", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json index 68831392942d4..64d686fb984c9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Malware detected.", + "description": "Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Malware - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:detection", "risk_score": 99, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json index 56b41df2a3349..72f2134f23ab2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Malware prevented.", + "description": "Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Malware - Prevented - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:file_classification_event and endgame.metadata.type:prevention", "risk_score": 73, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json index 268dc9cf89121..3755dd4cd5dac 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Permission theft detected.", + "description": "Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Permission Theft - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:detection", "risk_score": 73, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json index 6deda3d0453b2..d869407586372 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Permission theft prevented.", + "description": "Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Permission Theft - Prevented - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:token_protection_event and endgame.metadata.type:prevention", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json index 25a03e611fe3e..1078cf69394e2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Process injection detected.", + "description": "Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Process Injection - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:detection", "risk_score": 73, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json index 6c549d70a9d41..8b68fc6925f9b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Process injection prevented.", + "description": "Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Process Injection - Prevented - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:kernel_shellcode_event and endgame.metadata.type:prevention", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json index 4a118cf8ab861..a332c7011e94b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Ransomware detected.", + "description": "Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Ransomware - Detected - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:detection", "risk_score": 99, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json index 8b48e8f4c1758..087c91d2105ce 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json @@ -1,10 +1,12 @@ { - "description": "Elastic Endpoint Security Alert - Ransomware prevented.", + "description": "Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.", + "from": "now-660s", "index": [ "endgame-*" ], + "interval": "10m", "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Ransomware - Prevented - Elastic Endpoint", "query": "event.kind:alert and event.module:endgame and event.action:ransomware_event and endgame.metadata.type:prevention", "risk_score": 73, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 374691f670b74..43aead33925c1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -1,10 +1,10 @@ { - "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection", + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "index": [ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Adding Hidden File Attribute via Attrib", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"attrib.exe\" and process.args:\"+h\"", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 47f171dd7be0e..387726168cb10 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Adobe Hijack Persistence", "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json deleted file mode 100644 index 7ec960eea6302..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_powershell.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Audio Capture via PowerShell", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"powershell.exe\" and process.args:\"WindowsAudioDevice-Powershell-Cmdlet\"", - "risk_score": 21, - "rule_id": "b27b9f47-0a20-4807-8377-7f899b4fbada", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1123", - "name": "Audio Capture", - "reference": "https://attack.mitre.org/techniques/T1123/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json deleted file mode 100644 index 87bdfc4980124..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_audio_capture_via_soundrecorder.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "An adversary can leverage a computer's peripheral devices or applications to capture audio recordings for the purpose of listening into sensitive conversations to gather information.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Audio Capture via SoundRecorder", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"SoundRecorder.exe\" and process.args:\"/FILE\"", - "risk_score": 21, - "rule_id": "f8e06892-ed10-4452-892e-2c5a38d552f1", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1123", - "name": "Audio Capture", - "reference": "https://attack.mitre.org/techniques/T1123/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json deleted file mode 100644 index 2fa63fa51f7c1..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_event_viewer.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Bypass UAC via Event Viewer", - "query": "process.parent.name:eventvwr.exe and event.action:\"Process Create (rule: ProcessCreate)\" and not process.executable:(\"C:\\Windows\\System32\\mmc.exe\" or \"C:\\Windows\\SysWOW64\\mmc.exe\")", - "risk_score": 21, - "rule_id": "59547add-a400-4baa-aa0c-66c72efdb77f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json deleted file mode 100644 index fdc716dcb3ebe..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_cmstp.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies User Account Control (UAC) bypass via cmstp.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Bypass UAC via Cmstp", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"cmstp.exe\" and process.parent.args:(\"/s\" and \"/au\")", - "risk_score": 21, - "rule_id": "2f7403da-1a4c-46bb-8ecc-c1a596e10cd0", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json deleted file mode 100644 index 484a01e0211ab..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_bypass_uac_via_sdclt.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Bypass UAC via Sdclt", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"sdclt.exe\" and process.args:\"/kickoffelev\" and not process.executable:(\"C:\\Windows\\System32\\sdclt.exe\" or \"C:\\Windows\\System32\\control.exe\" or \"C:\\Windows\\SysWOW64\\sdclt.exe\" or \"C:\\Windows\\SysWOW64\\control.exe\")", - "risk_score": 21, - "rule_id": "f68d83a1-24cb-4b8d-825b-e8af400b9670", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index e9729ff102619..135e81148475f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -1,10 +1,10 @@ { - "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt evade detection or destroy forensic evidence on a system.", + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "index": [ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Clearing Windows Event Logs", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and (process.name:\"wevtutil.exe\" and process.args:\"cl\") or (process.name:\"powershell.exe\" and process.args:\"Clear-EventLog\")", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 479bb4a2a6d7c..815e2abd0fc96 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Delete Volume USN Journal with Fsutil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"fsutil.exe\" and process.args:(\"usn\" and \"deletejournal\")", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index 204925e4b677b..d990e071b2123 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Deleting Backup Catalogs with Wbadmin", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wbadmin.exe\" and process.args:(\"delete\" and \"catalog\")", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index b6398a9985e7e..9d1cebb32c865 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Direct Outbound SMB Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and destination.port:445 and not process.pid:4 and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 32b43cc24e91b..7ead979f27bb1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Disable Windows Firewall Rules via Netsh", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"netsh.exe\" and process.args:(\"firewall\" and \"set\" and \"disable\") or process.args:(\"advfirewall\" and \"state\" and \"off\")", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json deleted file mode 100644 index 5740453b6ae6d..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_dll_search_order_hijack.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "description": "Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "DLL Search Order Hijack", - "query": " event.action:\"File created (rule: FileCreate)\" and not winlog.user.identifier:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and file.path:(\"C\\Windows\\ehome\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptbase.dll\" or \"C\\Windows\\System32\\Sysprep\\cryptsp.dll\" or \"C\\Windows\\System32\\Sysprep\\rpcrtremote.dll\" or \"C\\Windows\\System32\\Sysprep\\uxtheme.dll\" or \"C\\Windows\\System32\\Sysprep\\dwmapi.dll\" or \"C\\Windows\\System32\\Sysprep\\shcore.dll\" or \"C\\Windows\\System32\\Sysprep\\oleacc.dll\" or \"C\\Windows\\System32\\ntwdblib.dll\") ", - "risk_score": 47, - "rule_id": "73fbc44c-c3cd-48a8-a473-f4eb2065c716", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1088", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1088/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index 37e1c26885a15..2cb92f0a26c90 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Encoding or Decoding Files via CertUtil", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"certutil.exe\" and process.args:(\"-encode\" or \"/encode\" or \"-decode\" or \"/decode\")", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index dc4991f86a0f5..e7f46b46c2ce2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Local Scheduled Task Commands", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:schtasks.exe and process.args:(\"/create\" or \"-create\" or \"/S\" or \"-s\" or \"/run\" or \"-run\" or \"/change\" or \"-change\")", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index eb6f2377376f2..b018435ea0214 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Local Service Commands", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:sc.exe and process.args:(\"create\" or \"config\" or \"failure\" or \"start\")", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json deleted file mode 100644 index 26bd65b897c63..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_modification_of_boot_configuration.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Modification of Boot Configuration", - "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"bcdedit.exe\" and process.args:\"set\" and process.args:( (\"bootstatuspolicy\" and \"ignoreallfailures\") or (\"recoveryenabled\" and \"no\") ) ", - "risk_score": 73, - "rule_id": "b9ab2f7f-f719-4417-9599-e0252fffe2d8", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1107", - "name": "File Deletion", - "reference": "https://attack.mitre.org/techniques/T1107/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index d40ffed523c6a..7d84e0bda06e5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -4,9 +4,9 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "MsBuild Making Network Connections", - "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:msbuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", + "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:MSBuild.exe and not destination.ip:(\"127.0.0.1\" or \"::1\")", "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 7905d80c6e8c2..44141b08fb8f0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -4,9 +4,9 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Network Connection via Mshta", - "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\" and not process.name:\"mshta.exe\"", + "query": "event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:\"mshta.exe\"", "references": [ "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" ], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json deleted file mode 100644 index 16ef15589f48f..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msxsl_making_network_connections.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Network Connection via MsXsl", - "query": "process.name:msxsl.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 47, - "rule_id": "d7351b03-135d-43ba-8b36-cc9b07854525", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1220", - "name": "XSL Script Processing", - "reference": "https://attack.mitre.org/techniques/T1220/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index fd210005118b8..580f73c25a4a2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -7,9 +7,9 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "PsExec Network Connection", - "query": "process.name:psexec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", + "query": "process.name:PsExec.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" ", "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index a5d71e23a1215..95aabc49b5302 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Suspicious MS Office Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"winword.exe\" or \"excel.exe\" or \"powerpnt.exe\" or \"eqnedt32.exe\" or \"fltldr.exe\" or \"mspub.exe\" or \"msaccess.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index 86716d6608049..f31228d0130f8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Suspicious MS Outlook Child Process", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"outlook.exe\" and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json deleted file mode 100644 index b0fbccf1b67a7..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_pdf_reader_child_process.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Suspicious PDF Reader Child Process", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"acrord32.exe\" or \"rdrcef.exe\" or \"foxitphantomPDF.exe\" or \"foxitreader.exe\") and process.name:(\"arp.exe\" or \"dsquery.exe\" or \"dsget.exe\" or \"gpresult.exe\" or \"hostname.exe\" or \"ipconfig.exe\" or \"nbtstat.exe\" or \"net.exe\" or \"net1.exe\" or \"netsh.exe\" or \"netstat.exe\" or \"nltest.exe\" or \"ping.exe\" or \"qprocess.exe\" or \"quser.exe\" or \"qwinsta.exe\" or \"reg.exe\" or \"sc.exe\" or \"systeminfo.exe\" or \"tasklist.exe\" or \"tracert.exe\" or \"whoami.exe\" or \"bginfo.exe\" or \"cdb.exe\" or \"cmstp.exe\" or \"csi.exe\" or \"dnx.exe\" or \"fsi.exe\" or \"ieexec.exe\" or \"iexpress.exe\" or \"installutil.exe\" or \"Microsoft.Workflow.Compiler.exe\" or \"msbuild.exe\" or \"mshta.exe\" or \"msxsl.exe\" or \"odbcconf.exe\" or \"rcsi.exe\" or \"regsvr32.exe\" or \"xwizard.exe\" or \"atbroker.exe\" or \"forfiles.exe\" or \"schtasks.exe\" or \"regasm.exe\" or \"regsvcs.exe\" or \"cmd.exe\" or \"cscript.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"wmic.exe\" or \"wscript.exe\" or \"bitsadmin.exe\" or \"certutil.exe\" or \"ftp.exe\") ", - "risk_score": 73, - "rule_id": "afcac7b1-d092-43ff-a136-aa7accbda38f", - "severity": "high", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1193", - "name": "Spearphishing Attachment", - "reference": "https://attack.mitre.org/techniques/T1193/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index 984b522596c1e..a38232f37843e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "System Shells via Services", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:\"services.exe\" and process.name:(\"cmd.exe\" or \"powershell.exe\")", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 03b9bebb655c3..820c69cb3c809 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Unusual Network Connection via RunDLL32", "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 72eb17863e0d3..21d3d2741378a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Unusual Parent-Child Relationship ", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.executable:* and ( (process.name:\"smss.exe\" and not process.parent.name:(\"System\" or \"smss.exe\")) or (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\" or \"svchost.exe\")) or (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or (process.name:\"lsass.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"LogonUI.exe\" and not process.parent.name:(\"winlogon.exe\" or \"wininit.exe\")) or (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or (process.name:\"svchost.exe\" and not process.parent.name:(\"services.exe\" or \"MsMpEng.exe\")) or (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\" or \"svchost.exe\")) or (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\" or \"winlogon.exe\")) )", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 8ca16198ff175..ee861e19341af 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Unusual Process Network Connection", "query": " event.action:\"Network connection detected (rule: NetworkConnect)\" and process.name:(bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or Microsoft.Workflow.Compiler.exe or odbcconf.exe or rcsi.exe or xwizard.exe)", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index dee3d18bd5eda..5a7aeab224548 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "User Account Creation", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"user\" and (\"/add\" or \"/ad\")) ", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json deleted file mode 100644 index 4ed6a06b18d3b..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_added_to_administrator_group.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies attempts to add a user to an administrative group with the \"net.exe\" command. This is sometimes done by attackers to increase access of a compromised account or create new account.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "User Added to Administrator Group", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"net.exe\" or \"net1.exe\") and not process.parent.name:\"net.exe\" and process.args:(\"group\" and \"admin\" and \"/add\") ", - "risk_score": 47, - "rule_id": "4426de6f-6103-44aa-a77e-49d672836c27", - "severity": "medium", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index cdeeb1563dfde..80c0dd962c099 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Volume Shadow Copy Deletion via VssAdmin", "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"vssadmin.exe\" and process.args:(\"delete\" and \"shadows\") ", "risk_score": 73, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index 9465cf84d73f4..d90aca1e2eaf4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -4,9 +4,9 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Volume Shadow Copy Deletion via WMIC", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"shadowcopy\" and \"delete\")", + "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"WMIC.exe\" and process.args:(\"shadowcopy\" and \"delete\")", "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index f3df1276de53d..8f6e97cdd7bdb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json deleted file mode 100644 index a50d9e64f2e2b..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_wmic_command_lateral_movement.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "Identifies use of wmic.exe to run commands on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", - "false_positives": [ - "The WMIC utility provides a command-line interface for WMI, which can be used for an array of administrative capabilities. It's important to baseline your environment to determine any abnormal use of this tool." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "WMIC Command Lateral Movement", - "query": " event.action:\"Process Create (rule: ProcessCreate)\" and process.name:\"wmic.exe\" and process.args:(\"/node\" or \"-node\") and process.args:(\"call\" or \"set\")", - "risk_score": 21, - "rule_id": "9616587f-6396-42d0-bd31-ef8dbd806210", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index b454501e9f563..d9841948f35a5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -26,99 +26,79 @@ import rule16 from './elastic_endpoint_security_ransomware_detected.json'; import rule17 from './elastic_endpoint_security_ransomware_prevented.json'; import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json'; import rule19 from './eql_adobe_hijack_persistence.json'; -import rule20 from './eql_audio_capture_via_powershell.json'; -import rule21 from './eql_audio_capture_via_soundrecorder.json'; -import rule22 from './eql_bypass_uac_event_viewer.json'; -import rule23 from './eql_bypass_uac_via_cmstp.json'; -import rule24 from './eql_bypass_uac_via_sdclt.json'; -import rule25 from './eql_clearing_windows_event_logs.json'; -import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json'; -import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json'; -import rule28 from './eql_direct_outbound_smb_connection.json'; -import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json'; -import rule30 from './eql_dll_search_order_hijack.json'; -import rule31 from './eql_encoding_or_decoding_files_via_certutil.json'; -import rule32 from './eql_local_scheduled_task_commands.json'; -import rule33 from './eql_local_service_commands.json'; -import rule34 from './eql_modification_of_boot_configuration.json'; -import rule35 from './eql_msbuild_making_network_connections.json'; -import rule36 from './eql_mshta_making_network_connections.json'; -import rule37 from './eql_msxsl_making_network_connections.json'; -import rule38 from './eql_psexec_lateral_movement_command.json'; -import rule39 from './eql_suspicious_ms_office_child_process.json'; -import rule40 from './eql_suspicious_ms_outlook_child_process.json'; -import rule41 from './eql_suspicious_pdf_reader_child_process.json'; -import rule42 from './eql_system_shells_via_services.json'; -import rule43 from './eql_unusual_network_connection_via_rundll32.json'; -import rule44 from './eql_unusual_parentchild_relationship.json'; -import rule45 from './eql_unusual_process_network_connection.json'; -import rule46 from './eql_user_account_creation.json'; -import rule47 from './eql_user_added_to_administrator_group.json'; -import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; -import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json'; -import rule50 from './eql_windows_script_executing_powershell.json'; -import rule51 from './eql_wmic_command_lateral_movement.json'; -import rule52 from './linux_hping_activity.json'; -import rule53 from './linux_iodine_activity.json'; -import rule54 from './linux_kernel_module_activity.json'; -import rule55 from './linux_ldso_process_activity.json'; -import rule56 from './linux_mknod_activity.json'; -import rule57 from './linux_netcat_network_connection.json'; -import rule58 from './linux_nmap_activity.json'; -import rule59 from './linux_nping_activity.json'; -import rule60 from './linux_process_started_in_temp_directory.json'; -import rule61 from './linux_shell_activity_by_web_server.json'; -import rule62 from './linux_socat_activity.json'; -import rule63 from './linux_strace_activity.json'; -import rule64 from './linux_tcpdump_activity.json'; -import rule65 from './linux_whoami_commmand.json'; -import rule66 from './network_dns_directly_to_the_internet.json'; -import rule67 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule68 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule69 from './network_nat_traversal_port_activity.json'; -import rule70 from './network_port_26_activity.json'; -import rule71 from './network_port_8000_activity_to_the_internet.json'; -import rule72 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule73 from './network_proxy_port_activity_to_the_internet.json'; -import rule74 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule75 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule76 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule77 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule78 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule79 from './network_smtp_to_the_internet.json'; -import rule80 from './network_sql_server_port_activity_to_the_internet.json'; -import rule81 from './network_ssh_secure_shell_from_the_internet.json'; -import rule82 from './network_ssh_secure_shell_to_the_internet.json'; -import rule83 from './network_telnet_port_activity.json'; -import rule84 from './network_tor_activity_to_the_internet.json'; -import rule85 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule86 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule87 from './null_user_agent.json'; -import rule88 from './sqlmap_user_agent.json'; -import rule89 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule90 from './windows_certutil_connecting_to_the_internet.json'; -import rule91 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule92 from './windows_command_shell_started_by_internet_explorer.json'; -import rule93 from './windows_command_shell_started_by_powershell.json'; -import rule94 from './windows_command_shell_started_by_svchost.json'; -import rule95 from './windows_defense_evasion_via_filter_manager.json'; -import rule96 from './windows_execution_via_compiled_html_file.json'; -import rule97 from './windows_execution_via_connection_manager.json'; -import rule98 from './windows_execution_via_net_com_assemblies.json'; -import rule99 from './windows_execution_via_regsvr32.json'; -import rule100 from './windows_execution_via_trusted_developer_utilities.json'; -import rule101 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule102 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule103 from './windows_net_command_activity_by_the_system_account.json'; -import rule104 from './windows_persistence_via_application_shimming.json'; -import rule105 from './windows_priv_escalation_via_accessibility_features.json'; -import rule106 from './windows_process_discovery_via_tasklist_command.json'; -import rule107 from './windows_process_execution_via_wmi.json'; -import rule108 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule109 from './windows_signed_binary_proxy_execution.json'; -import rule110 from './windows_signed_binary_proxy_execution_download.json'; -import rule111 from './windows_suspicious_process_started_by_a_script.json'; -import rule112 from './windows_whoami_command_activity.json'; +import rule20 from './eql_clearing_windows_event_logs.json'; +import rule21 from './eql_delete_volume_usn_journal_with_fsutil.json'; +import rule22 from './eql_deleting_backup_catalogs_with_wbadmin.json'; +import rule23 from './eql_direct_outbound_smb_connection.json'; +import rule24 from './eql_disable_windows_firewall_rules_with_netsh.json'; +import rule25 from './eql_encoding_or_decoding_files_via_certutil.json'; +import rule26 from './eql_local_scheduled_task_commands.json'; +import rule27 from './eql_local_service_commands.json'; +import rule28 from './eql_msbuild_making_network_connections.json'; +import rule29 from './eql_mshta_making_network_connections.json'; +import rule30 from './eql_psexec_lateral_movement_command.json'; +import rule31 from './eql_suspicious_ms_office_child_process.json'; +import rule32 from './eql_suspicious_ms_outlook_child_process.json'; +import rule33 from './eql_system_shells_via_services.json'; +import rule34 from './eql_unusual_network_connection_via_rundll32.json'; +import rule35 from './eql_unusual_parentchild_relationship.json'; +import rule36 from './eql_unusual_process_network_connection.json'; +import rule37 from './eql_user_account_creation.json'; +import rule38 from './eql_volume_shadow_copy_deletion_via_vssadmin.json'; +import rule39 from './eql_volume_shadow_copy_deletion_via_wmic.json'; +import rule40 from './eql_windows_script_executing_powershell.json'; +import rule41 from './linux_hping_activity.json'; +import rule42 from './linux_iodine_activity.json'; +import rule43 from './linux_kernel_module_activity.json'; +import rule44 from './linux_mknod_activity.json'; +import rule45 from './linux_netcat_network_connection.json'; +import rule46 from './linux_nmap_activity.json'; +import rule47 from './linux_nping_activity.json'; +import rule48 from './linux_process_started_in_temp_directory.json'; +import rule49 from './linux_shell_activity_by_web_server.json'; +import rule50 from './linux_socat_activity.json'; +import rule51 from './linux_strace_activity.json'; +import rule52 from './linux_tcpdump_activity.json'; +import rule53 from './linux_whoami_commmand.json'; +import rule54 from './network_dns_directly_to_the_internet.json'; +import rule55 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule56 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule57 from './network_nat_traversal_port_activity.json'; +import rule58 from './network_port_26_activity.json'; +import rule59 from './network_port_8000_activity_to_the_internet.json'; +import rule60 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule61 from './network_proxy_port_activity_to_the_internet.json'; +import rule62 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule63 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule64 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule65 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule66 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule67 from './network_smtp_to_the_internet.json'; +import rule68 from './network_sql_server_port_activity_to_the_internet.json'; +import rule69 from './network_ssh_secure_shell_from_the_internet.json'; +import rule70 from './network_ssh_secure_shell_to_the_internet.json'; +import rule71 from './network_telnet_port_activity.json'; +import rule72 from './network_tor_activity_to_the_internet.json'; +import rule73 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule74 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule75 from './null_user_agent.json'; +import rule76 from './sqlmap_user_agent.json'; +import rule77 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule78 from './windows_command_shell_started_by_powershell.json'; +import rule79 from './windows_command_shell_started_by_svchost.json'; +import rule80 from './windows_defense_evasion_via_filter_manager.json'; +import rule81 from './windows_execution_via_compiled_html_file.json'; +import rule82 from './windows_execution_via_regsvr32.json'; +import rule83 from './windows_execution_via_trusted_developer_utilities.json'; +import rule84 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule85 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule86 from './windows_persistence_via_application_shimming.json'; +import rule87 from './windows_priv_escalation_via_accessibility_features.json'; +import rule88 from './windows_process_discovery_via_tasklist_command.json'; +import rule89 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule90 from './windows_signed_binary_proxy_execution.json'; +import rule91 from './windows_suspicious_process_started_by_a_script.json'; +import rule92 from './windows_whoami_command_activity.json'; export const rawRules = [ rule1, rule2, @@ -212,24 +192,4 @@ export const rawRules = [ rule90, rule91, rule92, - rule93, - rule94, - rule95, - rule96, - rule97, - rule98, - rule99, - rule100, - rule101, - rule102, - rule103, - rule104, - rule105, - rule106, - rule107, - rule108, - rule109, - rule110, - rule111, - rule112, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index 517e16fb3d284..c4b14389c0f75 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -1,5 +1,5 @@ { - "description": "Hping ran on a Linux host. Hping is FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications including scanning and firewall auditing.", + "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", "false_positives": [ "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], @@ -7,9 +7,9 @@ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Hping Process Activity", - "query": "process.name: hping and event.action:executed", + "query": "process.name: (hping3 or hping2 or hping) and event.action:executed", "references": [ "https://en.wikipedia.org/wiki/Hping" ], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index 49f18ef9871a1..b8455a4d2b21d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -1,5 +1,5 @@ { - "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol in order to circumvent firewalls, network security groups or network access lists while evading detection.", + "description": "Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.", "false_positives": [ "Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." ], @@ -7,7 +7,7 @@ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Potential DNS Tunneling via Iodine", "query": "process.name: (iodine or iodined) and event.action:executed", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index 8c94694ca4d04..f1d12de674488 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -1,5 +1,5 @@ { - "description": "Identifies loadable kernel module errors, often indicative of potential persistence attempts.", + "description": "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.", "false_positives": [ "Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon." ], @@ -7,7 +7,7 @@ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Persistence via Kernel Module Modification", "query": "process.name: (insmod or kmod or modprobe or rmod) and event.action:executed", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json deleted file mode 100644 index 82a2a16080160..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ldso_process_activity.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "description": "The dynamic linker, ld.so, runs in a privileged context and can be used to escape restrictive environments by spawning a shell in order to elevate privileges or move laterally.", - "false_positives": [ - "ld.so is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or administrators. Use of ld.so by non-engineers or ordinary users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Ld.so Process Activity", - "query": "process.name:ld.so and event.action:executed", - "risk_score": 21, - "rule_id": "3f31a31c-f7cf-4268-a0df-ec1a98099e7f", - "severity": "low", - "tags": [ - "Elastic", - "Linux" - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index 8f4e1f40fad12..b0d4c29dc00d3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -1,13 +1,13 @@ { - "description": "The Linux mknod program is sometimes used in the command payload of remote command injection (RCI) and other exploits to export a command shell when the traditional version of netcat is not available to the payload.", + "description": "The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. It is used to export a command shell when the traditional version of netcat is not available to the payload.", "false_positives": [ - "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." + "Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." ], "index": [ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Mknod Process Activity", "query": "process.name: mknod and event.action:executed", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index b06a342d24977..6ab1c1285c0d7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -1,13 +1,13 @@ { - "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. ", + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", "false_positives": [ - "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools and frameworks." + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." ], "index": [ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Netcat Network Activity", "query": "process.name: (nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action: (connected-to or bound-socket or socket_opened)", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index 406cd8e026e7a..5d7169219a6f1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -1,13 +1,13 @@ { - "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", + "description": "Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.", "false_positives": [ - "Security testing tools and frameworks may run nmap in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." + "Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is uncommon." ], "index": [ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Nmap Process Activity", "query": "process.name: nmap", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index de53e05e70fa3..6a713d22e3219 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -1,13 +1,13 @@ { - "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications including denial of service testing.", + "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": [ - "Some normal use of this command may originate from security engineers and network or server administrators but this is usually not routine or unannounced. Use of nping by non-engineers or ordinary users is uncommon." + "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." ], "index": [ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Nping Process Activity", "query": "process.name: nping and event.action:executed", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 4ed021a4c864d..c80bb4eb41615 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -1,13 +1,13 @@ { "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", "false_positives": [ - "Build systems like Jenkins may start processes in the /tmp directory. These can be exempted by name or by username." + "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." ], "index": [ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Unusual Process Execution - Temp", "query": "process.working_directory: /tmp and event.action:executed", "risk_score": 47, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index ac817762fdb71..eff3dd0ab1400 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -7,9 +7,9 @@ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Potential Shell via Web Server", - "query": "process.name: bash and (user.name: apache or www) and event.action:executed", + "query": "process.name: bash and user.name: (apache or www or \"wwww-data\") and event.action:executed", "references": [ "https://pentestlab.blog/tag/web-shell/" ], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index 481a99518d4ed..56fb41dc5f78f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -1,13 +1,13 @@ { - "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. ", + "description": "A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.", "false_positives": [ - "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by web servers is more likely to be suspicious." + "Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious." ], "index": [ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Socat Process Activity", "query": "process.name:socat and not process.args:\"-V\" and event.action:executed", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index f5488ae49d0fb..fdf52e7c728c6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -7,7 +7,7 @@ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Strace Process Activity", "query": "process.name: strace and event.action:executed", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index b6dc7f1689770..908e892026ee3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -1,5 +1,5 @@ { - "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet 'sniffing' tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", + "description": "The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.", "false_positives": [ "Some normal use of this command may originate from server or network administrators engaged in network troubleshooting." ], @@ -7,7 +7,7 @@ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Network Sniffing via Tcpdump", "query": "process.name: tcpdump and event.action:executed", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 91c6d2bcc9f95..052ff34d15dcd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -1,5 +1,5 @@ { - "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", + "description": "The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for privileged access.", "false_positives": [ "Security testing tools and frameworks may run this command. Some normal use of this command may originate from automation tools and frameworks." ], @@ -7,7 +7,7 @@ "auditbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "User Discovery via Whoami", "query": "process.name: whoami and event.action:executed", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index 3d1b07a267eca..72e2ca1490417 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects internal network client sending DNS traffic directly to the Internet.\nThis is atypical behavior for a managed network and can be indicative of malware,\nexfiltration, command and control or simply misconfiguration. This also impacts your\norganization's ability to provide enterprise monitoring and logging of DNS and opens\nyour network to a variety of abuses or malicious communications.\n", + "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet.\nThis is atypical behavior for a managed network, and can be indicative of malware,\nexfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your\norganization's ability to provide enterprise monitoring and logging of DNS, and opens\nyour network to a variety of abuses and malicious communications.\n", "false_positives": [ - "DNS servers should be excluded from this rule as this is expected behavior for them. Endpoints usually query local DNS servers defined in their DHCP scopes but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it would tend to break intra-net name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations; in that case, such devices or networks can be excluded from this rule if this is expected behavior." + "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "DNS Activity to the Internet", "query": "destination.port:53 and (\n network.direction: outbound or (\n source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\\:\\:fb or 255.255.255.255 )\n )\n)\n", "references": [ @@ -22,7 +22,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index ef7b39412c808..54daf8a2091a7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects events that may indicate the use of FTP network connections to the Internet.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980's. It can be an efficient and normal procedure on your network to send and\nreceive files. Because it is common and efficient, adversaries will also often\nuse this protocol to ex-filtrate data from your network or download new tools.\nAdditionally, FTP is a plain-text protocol which may expose your user name and\npassword, if intercepted. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.\n", + "description": "This rule detects events that may indicate the use of FTP network connections to the Internet.\nThe File Transfer Protocol (FTP) has been around in its current form since the\n1980s. It can be a common and efficient procedure on your network to send and\nreceive files. Because of this, adversaries will also often use this protocol\nto exfiltrate data from your network or download new tools. Additionally, FTP\nis a plain-text protocol which, if intercepted, may expose usernames and\npasswords. FTP activity involving servers subject to regulations or compliance\nstandards may be unauthorized.\n", "false_positives": [ - "FTP servers should be excluded from this rule as this is expected behavior for them. Some business work-flows may use FTP for data exchange. These work-flows often have expected characteristics such as users, sources and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP work-flow or business requirement is often suspicious. NEW NEW" + "FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "FTP (File Transfer Protocol) Activity to the Internet", "query": "network.transport: tcp and destination.port: (20 or 21) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 21, @@ -18,7 +18,7 @@ "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index 2700eae977482..d01006a225886 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects events that use common ports for IRC to the Internet. IRC (Internet Relay Chat)\nis a common protocol that can be used chat and file transfer. This protocol\nalso makes a good candidate for remote control of malware and data transfer in\nand out of a network.\n", + "description": "This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet.\nIRC is a common protocol that can be used for chat and file transfers. This\nprotocol is also a good candidate for remote control of malware and data\ntransfers to and from a network.\n", "false_positives": [ - "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATted web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some legacy applications may use these ports but this is very uncommon and usually appears only in local traffic using private IPs which this rule does not match." + "IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule's conditions." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", "query": "network.transport: tcp and destination.port:(6667 or 6697) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index e87e296017a36..c66a9e9d77fe4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -1,16 +1,16 @@ { - "description": "This signal detects events that could be describing IPSEC NAT Traversal traffic.\nIPSEC is a VPN technology that allows one system to talk to another using\nencrypted tunnels. NAT Traversal enables these tunnels to communicate over\nthe Internet where one of the sides is behind a NAT router gateway. This may\nbe common on your network, but this technique is also used by threat actors\nto avoid detection.\n", + "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic.\nIPSEC is a VPN technology that allows one system to talk to another using\nencrypted tunnels. NAT Traversal enables these tunnels to communicate over the\nInternet where one of the sides is behind a NAT router gateway. This may be\ncommon on your network, but this technique is also used by threat actors to\navoid detection.\n", "false_positives": [ - "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions such as when a application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded if desired." + "Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "IPSEC NAT Traversal Port Activity", "query": "network.transport: udp and destination.port: 4500", "risk_score": 21, @@ -18,7 +18,7 @@ "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index 352fc5e44dc80..7b26141898532 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -1,18 +1,18 @@ { - "description": "This signal detects events that may indicate use of SMTP on TCP port 26. This\nport is commonly used by several popular mail transfer agents to deconflict\nwith the default SMTP port 25. This port has also been used by a malware family\ncalled BadPatch for command and control of Windows systems.\n", + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This\nport is commonly used by several popular mail transfer agents to deconflict\nwith the default SMTP port 25. This port has also been used by a malware family\ncalled BadPatch for command and control of Windows systems.\n", "false_positives": [ - "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior for them." + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "SMTP on Port 26/TCP", - "query": "network.transport: tcp and destination.port: 26", + "query": "network.transport: tcp and destination.port: 26\n", "references": [ "https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" @@ -22,7 +22,7 @@ "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 2b3d08a7c80d9..7551119cd5a84 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -1,16 +1,16 @@ { "description": "TCP Port 8000 is commonly used for development environments of web server\nsoftware. It generally should not be exposed directly to the Internet. If you are\nrunning software like this on the Internet, you should consider placing it behind\na reverse proxy.\n", "false_positives": [ - "Because this port is in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." + "Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "TCP Port 8000 Activity to the Internet", "query": "network.transport: tcp and destination.port: 8000 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 21, @@ -18,7 +18,7 @@ "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index b008ca2c2bee6..eeb38f756c67a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -1,24 +1,24 @@ { - "description": "This signal detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of connections to tunnel their traffic while avoiding detection.", + "description": "This rule detects events that may indicate use of a PPTP VPN connection. Some\nthreat actors use these types of connections to tunnel their traffic while\navoiding detection.\n", "false_positives": [ - "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions such as when an application server with replies to a client which has used this port by coincidence. This is uncommon but such servers can be excluded if desired." + "Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. This is uncommon but such servers can be excluded." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "PPTP (Point to Point Tunneling Protocol) Activity", - "query": "network.transport: tcp and destination.port: 1723", + "query": "network.transport: tcp and destination.port: 1723\n", "risk_score": 21, "rule_id": "d2053495-8fe7-4168-b3df-dad844046be3", "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index f7c6ffddcaf9e..981a7bdffcfed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects events that may describe network events of proxy use to the\nInternet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically\nenvironments will use an internal IP address for a proxy server. It can also\nbe used to circumvent network controls and detection mechanisms.\n", + "description": "This rule detects events that may describe network events of proxy use to the\nInternet. It includes popular HTTP proxy ports and SOCKS proxy ports. Typically,\nenvironments will use an internal IP address for a proxy server. It can also\nbe used to circumvent network controls and detection mechanisms.\n", "false_positives": [ - "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." + "Some proxied applications may use these ports but this usually occurs in local traffic using private IPs\n which this rule does not match. Proxies are widely used as a security technology but in enterprise environments\n this is usually local traffic which this rule does not match. Internet proxy services using these ports can be\n white-listed if desired. Some screen recording applications may use these ports. Proxy port activity involving\n an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or\n direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in\n the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a\n client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "Proxy Port Activity to the Internet", "query": "network.transport: tcp and destination.port: (3128 or 8080 or 1080) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index e3853c30e6ad9..504df93f2f8ed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of RDP traffic\nfrom the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "false_positives": [ - "Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + " Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to\n server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the\n Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump\n servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may\n be required by some work-flows such as remote access and support for specialized software products and\n servers. Such work-flows are usually known and not unexpected." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n and destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index 55b9716af9346..2d9fa6ba06dfd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of RDP traffic\nto the Internet. RDP is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "false_positives": [ - "RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + "RDP connections may be made directly to Internet destinations in order to access\n Windows cloud server instances but such connections are usually made only by engineers.\n In such cases, only RDP gateways, bastions or jump servers may be expected Internet\n destinations and can be exempted from this rule. RDP may be required by some work-flows\n such as remote access and support for specialized software products and servers. Such\n work-flows are usually known and not unexpected. Usage that is unfamiliar to server or\n network owners can be unexpected and suspicious." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "RDP (Remote Desktop Protocol) to the Internet", "query": "network.transport: tcp and destination.port: 3389 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 21, @@ -18,7 +18,7 @@ "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index 1570d3d155fea..d50c79db81ba5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -1,13 +1,13 @@ { - "description": "This signal detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of RPC traffic\nfrom the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "RPC (Remote Procedure Call) from the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 73, @@ -15,7 +15,7 @@ "severity": "high", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index 91db97dabdd46..ade7b661a7909 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -1,13 +1,13 @@ { - "description": "This signal detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of RPC traffic\nto the Internet. RPC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "RPC (Remote Procedure Call) to the Internet", "query": "network.transport: tcp and destination.port: 135 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 73, @@ -15,7 +15,7 @@ "severity": "high", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 991c626c11d33..62c2fafb7404f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -1,13 +1,13 @@ { - "description": "This signal detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targeted and exploited by threat actors as an initial access\nor back-door vector or for data exfiltration.\n", + "description": "This rule detects network events that may indicate the use of Windows\nfile sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly\nused within networks to share files, printers, and other system resources amongst\ntrusted systems. It should almost never be directly exposed to the Internet, as\nit is frequently targeted and exploited by threat actors as an initial access\nor back-door vector or for data exfiltration.\n", "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "network.transport: tcp and destination.port: (139 or 445) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 73, @@ -15,7 +15,7 @@ "severity": "high", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index 68daf71d9992a..02fca5603910e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects events that may describe SMTP traffic from internal\nhosts to a host across the Internet. In an enterprise network, there is typically\na dedicate host that is internal that could perform this function. It is also\nfrequently abused by threat actors for command and control or data exfiltration.\n", + "description": "This rule detects events that may describe SMTP traffic from internal\nhosts to a host across the Internet. In an enterprise network, there is typically\na dedicated internal host that performs this function. It is also\nfrequently abused by threat actors for command and control, or data exfiltration.\n", "false_positives": [ - "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and / or personal devices may send email traffic to remote Internet destinations; in that case, such devices or networks can be excluded from this rule if this is expected behavior." + "NATed servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this case, such devices or networks can be excluded from this rule if this is expected behavior." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "SMTP to the Internet", "query": "network.transport: tcp and destination.port: (25 or 465 or 587) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 21, @@ -18,7 +18,7 @@ "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index df779d47246a5..67e6a08ddf791 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects events that may describe database traffic\n(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases\nshould almost never be directly exposed to the Internet, as they are\nfrequently targeted by threat actors to gain initial access to network resources.\n", + "description": "This rule detects events that may describe database traffic\n(MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases\nshould almost never be directly exposed to the Internet, as they are\nfrequently targeted by threat actors to gain initial access to network resources.\n", "false_positives": [ - "Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet." + "Because these ports are in the ephemeral range, this rule may false under certain conditions\n such as when a NATed web server replies to a client which has used a port in the range by\n coincidence. In this case, such servers can be excluded if desired. Some cloud environments may\n use this port when VPNs or direct connects are not in use and database instances are accessed\n directly across the Internet." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "SQL Traffic to the Internet", "query": "network.transport: tcp and destination.port: (1433 or 1521 or 3336 or 5432) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index 6c278700450b1..052600a0db68a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "false_positives": [ - "Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected." + "Some network security policies allow SSH directly from the Internet but usage that is\n unfamiliar to server or network owners can be unexpected and suspicious. SSH services may\n be exposed directly to the Internet in some networks such as cloud environments. In such\n cases, only SSH gateways, bastions or jump servers may be expected expose SSH directly to\n the Internet and can be exempted from this rule. SSH may be required by some work-flows\n such as remote access and support for specialized software products and servers. Such\n work-flows are usually known and not unexpected." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "SSH (Secure Shell) from the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index 63f2dbc8a34f1..e3c3135c9240d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of SSH traffic\nfrom the Internet. SSH is commonly used by system administrators to remotely\ncontrol a system using the command line shell. If it is exposed to the Internet,\nit should be done with strong security controls as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "false_positives": [ - "SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + "SSH connections may be made directly to Internet destinations in order to access Linux\n cloud server instances but such connections are usually made only by engineers. In such cases,\n only SSH gateways, bastions or jump servers may be expected Internet destinations and can be\n exempted from this rule. SSH may be required by some work-flows such as remote access and support\n for specialized software products and servers. Such work-flows are usually known and not unexpected.\n Usage that is unfamiliar to server or network owners can be unexpected and suspicious." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "SSH (Secure Shell) to the Internet", "query": "network.transport: tcp and destination.port:22 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 21, @@ -18,7 +18,7 @@ "severity": "low", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 0d28f0ea53d9a..c05791c8a107d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embed ed\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targeted and exploited by threat actors as an\ninitial access or back-door vector. As a plain-text protocol, it may also expose\n", + "description": "This rule detects network events that may indicate the use of Telnet traffic.\nTelnet is commonly used by system administrators to remotely control older or embed ed\nsystems using the command line shell. It should almost never be directly exposed to\nthe Internet, as it is frequently targeted and exploited by threat actors as an\ninitial access or back-door vector. As a plain-text protocol, it may also expose\nusernames and passwords to anyone capable of observing the traffic.\n", "false_positives": [ - "IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious." + "IoT (Internet of Things) devices and networks may use telnet and can be excluded if\n desired. Some business work-flows may use Telnet for administration of older devices. These\n often have a predictable behavior. Telnet activity involving an unusual source or destination\n may be more suspicious. Telnet activity involving a production server that has no known\n associated Telnet work-flow or business requirement is often suspicious." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "Telnet Port Activity", "query": "network.transport: tcp and destination.port: 23", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 80893e9404f02..64397716eded2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's identity and avoid detection.\n", + "description": "This rule detects network events that may indicate the use of Tor traffic\nto the Internet. Tor is a network protocol that sends traffic through a\nseries of encrypted tunnels used to conceal a user's location and usage.\nTor may be used by threat actors as an alternate communication pathway to\nconceal the actor's identity and avoid detection.\n", "false_positives": [ - "Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired." + "Tor client activity is uncommon in managed enterprise networks but may be common\n in unmanaged or public networks where few security policies apply. Because these ports\n are in the ephemeral range, this rule may false under certain conditions such as when a\n NATed web server replies to a client which has used one of these ports by coincidence.\n In this case, such servers can be excluded if desired." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "Tor Activity to the Internet", "query": "network.transport: tcp and destination.port: (9001 or 9030) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index e64138dd053fa..dc4fbb281f762 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of VNC traffic\nfrom the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", "false_positives": [ - "VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + "VNC connections may be received directly to Linux cloud server instances but\n such connections are usually made only by engineers. VNC is less common than SSH\n or RDP but may be required by some work-flows such as remote access and support\n for specialized software products or servers. Such work-flows are usually known\n and not unexpected. Usage that is unfamiliar to server or network owners can be\n unexpected and suspicious." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "VNC (Virtual Network Computing) from the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: inbound or (\n not source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 73, @@ -18,7 +18,7 @@ "severity": "high", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 8c43419c3ead5..7da5db39d9bfe 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -1,16 +1,16 @@ { - "description": "This signal detects network events that may indicate the use of VNC traffic\nto the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.\n", + "description": "This rule detects network events that may indicate the use of VNC traffic\nto the Internet. VNC is commonly used by system administrators to remotely\ncontrol a system for maintenance or to use shared resources. It should almost\nnever be directly exposed to the Internet, as it is frequently targeted and\nexploited by threat actors as an initial access or back-door vector.", "false_positives": [ - "VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious." + "VNC connections may be made directly to Linux cloud server instances but such\n connections are usually made only by engineers. VNC is less common than SSH or RDP\n but may be required by some work flows such as remote access and support for\n specialized software products or servers. Such work-flows are usually known and not\n unexpected. Usage that is unfamiliar to server or network owners can be unexpected\n and suspicious." ], "index": [ "auditbeat-*", - "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ], "language": "kuery", + "max_signals": 100, "name": "VNC (Virtual Network Computing) to the Internet", "query": "network.transport: tcp and (destination.port >= 5800 and destination.port <= 5810) and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n", "risk_score": 47, @@ -18,7 +18,7 @@ "severity": "medium", "tags": [ "Elastic", - "network" + "Network" ], "threat": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts index cd24d823b8cd6..a597220db752f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts @@ -9,8 +9,6 @@ * - windows_priv_escalation_via_accessibility_features.json * - windows_persistence_via_application_shimming.json * - windows_execution_via_trusted_developer_utilities.json - * - windows_execution_via_net_com_assemblies.json - * - windows_execution_via_connection_manager.json * * MIT License * diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 7975c30a4ea38..c08d910a3b355 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,7 +1,7 @@ { "description": "A request to a web application server contained no identifying user agent string.", "false_positives": [ - "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." + "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity." ], "filters": [ { @@ -25,7 +25,7 @@ "apm-*-transaction*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Web Application Suspicious Activity: No User Agent", "query": "url.path: *", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 44e112d09a45b..5c03c3a76e4a7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,12 +1,13 @@ { - "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11 which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. ", + "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", "false_positives": [ - "This signal does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + "This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." ], "index": [ "apm-*-transaction*" ], "language": "kuery", + "max_signals": 100, "name": "Web Application Suspicious Activity: sqlmap User Agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"", "references": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json deleted file mode 100644 index 9b3784345b013..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "description": "Adversaries may abuse the Background Intelligent Transfer Service (BITS) to download, execute, or clean up after performing a malicious action.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Background Intelligent Transfer Service (BITS) connecting to the Internet", - "query": "process.name:bitsadmin.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 21, - "rule_id": "7edadee3-98ae-472c-b1c4-8c0a2c4877cc", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1197", - "name": "BITS Jobs", - "reference": "https://attack.mitre.org/techniques/T1197/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1197", - "name": "BITS Jobs", - "reference": "https://attack.mitre.org/techniques/T1197/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json deleted file mode 100644 index 0a960fc427d7b..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_connecting_to_the_internet.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Certutil Network Connection", - "query": "process.name:certutil.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", - "risk_score": 21, - "rule_id": "1a2cf526-6784-4c51-a2b9-f0adcc05d85c", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1105", - "name": "Remote File Copy", - "reference": "https://attack.mitre.org/techniques/T1105/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index 87dbd4cd70777..7ab8034ef4083 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Command Prompt Network Connection", "query": "process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json deleted file mode 100644 index a214ab4544b97..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_internet_explorer.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies a suspicious parent child process relationship with cmd.exe spawning form Internet Explorer.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Internet Explorer spawning cmd.exe", - "query": "process.parent.name:iexplore.exe and process.name:cmd.exe", - "risk_score": 21, - "rule_id": "7a6e1e81-deae-4cf6-b807-9a768fff3c06", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command-Line Interface", - "reference": "https://attack.mitre.org/techniques/T1059/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index 187cc9d344902..d914fd2e91a07 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -4,8 +4,8 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, - "name": "PowerShell spawning cmd.exe", + "max_signals": 100, + "name": "PowerShell spawning Cmd", "query": "process.parent.name:powershell.exe and process.name:cmd.exe", "risk_score": 21, "rule_id": "0f616aee-8161-4120-857e-742366f5eeb3", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index 81114bf8b8766..b7f0c54fedf62 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -4,8 +4,8 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, - "name": "Svchost spawning cmd.exe", + "max_signals": 100, + "name": "Svchost spawning Cmd", "query": "process.parent.name:svchost.exe and process.name:cmd.exe", "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index 7c999c1fc1e03..86242fd1081a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -4,15 +4,14 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Potential Evasion via Filter Manager", - "query": "event.code:1 and process.name:fltmc.exe", + "query": "event.code:1 and process.name:fltMC.exe", "risk_score": 21, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "low", "tags": [ "Elastic", - "D-SA", "Windows" ], "threat": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 62c8942dda9c3..7789b0723b3fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Process Activity via Compiled HTML File", "query": "event.code:1 and process.name:hh.exe", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json deleted file mode 100644 index 657487232fe81..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_connection_manager.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "description": "Various Windows utilities may be used to execute commands, possibly without invoking cmd.exe, including the Program Compatibility Assistant (pcalua.exe) or forfiles.exe.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Indirect Command Execution", - "query": "event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)", - "risk_score": 21, - "rule_id": "f2728299-167a-489c-913c-2e0955ac3c40", - "severity": "low", - "tags": [ - "Elastic", - "D-SA", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json deleted file mode 100644 index 80d91fa515342..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "description": "Adversaries can use Regsvcs.exe and Regasm.exe to proxy execution of code through a trusted Windows utility.", - "false_positives": [ - "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Execution via Regsvcs/Regasm", - "query": "event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)", - "risk_score": 21, - "rule_id": "5c12412f-602c-4120-8c4f-69d723dbba04", - "severity": "low", - "tags": [ - "Elastic", - "D-SA", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1121", - "name": "Regsvcs/Regasm", - "reference": "https://attack.mitre.org/techniques/T1121/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json index 6b2c54d527963..e8e7ddfc168dc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Suspicious Script Object Execution", "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index e722d311b86c7..bd2376a0897f4 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Trusted Developer Application Usage", "query": "event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)", "risk_score": 21, @@ -15,7 +15,6 @@ "severity": "low", "tags": [ "Elastic", - "D-SA", "Windows" ], "threat": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 2b4d774281b84..32fa953388be3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Network Connection via Compiled HTML File", "query": "process.name:hh.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index 8a4cb75588bff..0015371f03067 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Network Connection via Signed Binary", "query": "(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json deleted file mode 100644 index 5b3257daec8fb..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_activity_by_the_system_account.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "Identifies attempts to create new users via the SYSTEM account.", - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Net command via SYSTEM account", - "query": "process.name: (net.exe or net1.exe) and user.name:SYSTEM", - "risk_score": 21, - "rule_id": "c3f5dc81-a8b4-4144-95a7-d0a818d7355d", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1136", - "name": "Create Account", - "reference": "https://attack.mitre.org/techniques/T1136/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index 2c10382cdbc7c..6eaac7b9e6cab 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Potential Application Shimming via Sdbinst", "query": "event.code:1 and process.name:sdbinst.exe", "risk_score": 21, @@ -12,7 +12,6 @@ "severity": "low", "tags": [ "Elastic", - "D-SA", "Windows" ], "threat": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index 23d05aaf526e3..b2463633b0c5d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -4,7 +4,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Potential Modification of Accessibility Binaries", "query": "event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)", "risk_score": 21, @@ -12,7 +12,6 @@ "severity": "low", "tags": [ "Elastic", - "D-SA", "Windows" ], "threat": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 5f5215ddff8c6..a0542ef59d8cd 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Process Discovery via Tasklist", "query": "event.code:1 and process.name:tasklist.exe", "risk_score": 21, @@ -15,7 +15,6 @@ "severity": "low", "tags": [ "Elastic", - "D-SA", "Windows" ], "threat": [ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json deleted file mode 100644 index 6d6343330a7ff..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_execution_via_wmi.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "Identifies use of scrcons.exe, which is a Windows Management Instrumentation (WMI) Standard Event Consumer scripting application.", - "false_positives": [ - " Windows Management Instrumentation (WMI) processes can be used for an array of administrative capabilities. It's important to baseline your environment to determine any abnormal use of this tool." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Execution via Scrcons", - "query": "process.name:scrcons.exe", - "risk_score": 21, - "rule_id": "7e6cd4b9-6346-4683-b3e6-6a3e66f3208f", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1047", - "name": "Windows Management Instrumentation", - "reference": "https://attack.mitre.org/techniques/T1047/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index b35e016be15d7..d0f2e809c1aa7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Network Connection via Regsvr", "query": "(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json index cf5135cc490eb..be4ccef2a0887 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Execution via Signed Binary", "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)", "risk_score": 21, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json deleted file mode 100644 index 117a40d0fdcee..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution_download.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.", - "false_positives": [ - "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." - ], - "index": [ - "winlogbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Potential Download via Signed Binary", - "query": " event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)", - "risk_score": 21, - "rule_id": "68ecc190-cce2-4021-b976-c7c846ac0a00", - "severity": "low", - "tags": [ - "Elastic", - "Windows" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1218", - "name": "Signed Binary Proxy Execution", - "reference": "https://attack.mitre.org/techniques/T1218/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json index 3691c59d784fb..235a04f8063fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json @@ -7,8 +7,8 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, - "name": "Suspicious Process Spawning from Script Interpreter", + "max_signals": 100, + "name": "Suspicious Process spawning from Script Interpreter", "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1", "risk_score": 21, "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4", diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index 3618d304dc32a..678160f945ba0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -7,7 +7,7 @@ "winlogbeat-*" ], "language": "kuery", - "max_signals": 33, + "max_signals": 100, "name": "Whoami Process Activity", "query": "process.name:whoami.exe and event.code:1", "risk_score": 21,