From cd10df592d5ad89c31b180220a8bc24a3fb88aaa Mon Sep 17 00:00:00 2001 From: The SpaceCake Project Date: Tue, 5 May 2020 15:14:01 -0400 Subject: [PATCH] [SIEM] Add initial candidate rules for 7.8 merge may 4 (#65169) * 78 rules populated rules with a package from the siem-rules repo * Update index.ts * Update rule.ts adjust rule count to 145 Co-authored-by: Elastic Machine Co-authored-by: Garrett Spong --- .../403_response_to_a_post.json | 2 +- .../405_response_method_not_allowed.json | 2 +- ..._security_adversary_behavior_detected.json | 2 +- ...point_security_cred_dumping_prevented.json | 2 +- ...t_security_cred_manipulation_detected.json | 2 +- ..._security_cred_manipulation_prevented.json | 2 +- ...ic_endpoint_security_exploit_detected.json | 2 +- ...c_endpoint_security_exploit_prevented.json | 2 +- ...ic_endpoint_security_malware_detected.json | 2 +- ...c_endpoint_security_malware_prevented.json | 2 +- ...nt_security_permission_theft_detected.json | 2 +- ...t_security_permission_theft_prevented.json | 2 +- ...t_security_process_injection_detected.json | 2 +- ..._security_process_injection_prevented.json | 2 +- ...endpoint_security_ransomware_detected.json | 2 +- ...ndpoint_security_ransomware_prevented.json | 2 +- ...den_file_attribute_with_via_attribexe.json | 2 +- .../eql_adobe_hijack_persistence.json | 2 +- .../eql_clearing_windows_event_logs.json | 2 +- ...delete_volume_usn_journal_with_fsutil.json | 2 +- ...deleting_backup_catalogs_with_wbadmin.json | 2 +- .../eql_direct_outbound_smb_connection.json | 2 +- ...ble_windows_firewall_rules_with_netsh.json | 2 +- ...coding_or_decoding_files_via_certutil.json | 2 +- .../eql_local_scheduled_task_commands.json | 2 +- .../eql_local_service_commands.json | 2 +- ...ql_msbuild_making_network_connections.json | 2 +- .../eql_mshta_making_network_connections.json | 2 +- .../eql_psexec_lateral_movement_command.json | 2 +- ...ql_suspicious_ms_office_child_process.json | 2 +- ...l_suspicious_ms_outlook_child_process.json | 2 +- .../eql_system_shells_via_services.json | 2 +- ...usual_network_connection_via_rundll32.json | 6 +- .../eql_unusual_parentchild_relationship.json | 2 +- ...ql_unusual_process_network_connection.json | 2 +- .../eql_user_account_creation.json | 2 +- ...ume_shadow_copy_deletion_via_vssadmin.json | 2 +- ..._volume_shadow_copy_deletion_via_wmic.json | 2 +- ...l_windows_script_executing_powershell.json | 2 +- .../rules/prepackaged_rules/index.ts | 199 ++++++++++-------- .../linux_anomalous_network_activity.json | 2 +- ...linux_anomalous_network_port_activity.json | 2 +- .../linux_anomalous_network_service.json | 2 +- .../linux_anomalous_network_url_activity.json | 2 +- .../linux_anomalous_process_all_hosts.json | 2 +- .../linux_anomalous_user_name.json | 2 +- ...tempt_to_disable_iptables_or_firewall.json | 35 +++ ...nux_attempt_to_disable_syslog_service.json | 35 +++ ..._base32_encoding_or_decoding_activity.json | 53 +++++ ..._base64_encoding_or_decoding_activity.json | 53 +++++ .../linux_disable_selinux_attempt.json | 35 +++ .../linux_file_deletion_via_shred.json | 35 +++ .../linux_file_mod_writable_dir.json | 38 ++++ ...nux_hex_encoding_or_decoding_activity.json | 53 +++++ .../linux_hping_activity.json | 2 +- .../linux_iodine_activity.json | 2 +- .../linux_kernel_module_activity.json | 2 +- .../linux_kernel_module_enumeration.json | 38 ++++ .../linux_kernel_module_removal.json | 56 +++++ .../linux_mknod_activity.json | 2 +- .../linux_netcat_network_connection.json | 2 +- .../linux_nmap_activity.json | 2 +- .../linux_nping_activity.json | 2 +- .../linux_perl_tty_shell.json | 35 +++ ...nux_process_started_in_temp_directory.json | 2 +- .../linux_python_tty_shell.json | 35 +++ .../linux_setgid_bit_set_via_chmod.json | 51 +++++ .../linux_setuid_bit_set_via_chmod.json | 51 +++++ .../linux_shell_activity_by_web_server.json | 6 +- .../linux_socat_activity.json | 2 +- .../linux_strace_activity.json | 2 +- .../linux_sudoers_file_mod.json | 35 +++ .../linux_tcpdump_activity.json | 2 +- ...inux_telnet_network_activity_external.json | 38 ++++ ...inux_telnet_network_activity_internal.json | 38 ++++ .../linux_virtual_machine_fingerprinting.json | 38 ++++ .../linux_whoami_commmand.json | 2 +- .../network_dns_directly_to_the_internet.json | 2 +- ...fer_protocol_activity_to_the_internet.json | 2 +- ...hat_protocol_activity_to_the_internet.json | 2 +- .../network_nat_traversal_port_activity.json | 2 +- .../network_port_26_activity.json | 2 +- ...rk_port_8000_activity_to_the_internet.json | 2 +- ..._to_point_tunneling_protocol_activity.json | 2 +- ...k_proxy_port_activity_to_the_internet.json | 2 +- ...te_desktop_protocol_from_the_internet.json | 2 +- ...mote_desktop_protocol_to_the_internet.json | 2 +- ...mote_procedure_call_from_the_internet.json | 2 +- ...remote_procedure_call_to_the_internet.json | 2 +- ...file_sharing_activity_to_the_internet.json | 2 +- .../network_smtp_to_the_internet.json | 2 +- ..._server_port_activity_to_the_internet.json | 2 +- ...rk_ssh_secure_shell_from_the_internet.json | 2 +- ...work_ssh_secure_shell_to_the_internet.json | 2 +- .../network_telnet_port_activity.json | 2 +- .../network_tor_activity_to_the_internet.json | 2 +- ...l_network_computing_from_the_internet.json | 2 +- ...ual_network_computing_to_the_internet.json | 2 +- .../prepackaged_rules/null_user_agent.json | 2 +- .../packetbeat_dns_tunneling.json | 2 +- .../packetbeat_rare_dns_question.json | 2 +- .../packetbeat_rare_server_domain.json | 2 +- .../packetbeat_rare_urls.json | 2 +- .../packetbeat_rare_user_agent.json | 2 +- .../rare_process_by_host_linux.json | 2 +- .../rare_process_by_host_windows.json | 2 +- .../prepackaged_rules/sqlmap_user_agent.json | 2 +- .../suspicious_login_activity.json | 2 +- .../windows_anomalous_network_activity.json | 2 +- .../windows_anomalous_path_activity.json | 2 +- .../windows_anomalous_process_all_hosts.json | 2 +- .../windows_anomalous_process_creation.json | 2 +- .../windows_anomalous_script.json | 2 +- .../windows_anomalous_service.json | 2 +- .../windows_anomalous_user_name.json | 2 +- .../windows_certutil_network_connection.json | 2 +- ...and_prompt_connecting_to_the_internet.json | 2 +- ...s_command_shell_started_by_powershell.json | 2 +- ...dows_command_shell_started_by_svchost.json | 2 +- .../windows_credential_dumping_msbuild.json | 2 +- .../windows_cve_2020_0601.json | 2 +- ...ws_defense_evasion_via_filter_manager.json | 2 +- ...ecution_msbuild_started_by_office_app.json | 2 +- ...s_execution_msbuild_started_by_script.json | 2 +- ...ion_msbuild_started_by_system_process.json | 2 +- ...ows_execution_msbuild_started_renamed.json | 2 +- ...cution_msbuild_started_unusal_process.json | 2 +- ...dows_execution_via_compiled_html_file.json | 2 +- ...dows_execution_via_net_com_assemblies.json | 2 +- ...ution_via_trusted_developer_utilities.json | 2 +- ...le_program_connecting_to_the_internet.json | 2 +- .../windows_injection_msbuild.json | 2 +- ...isc_lolbin_connecting_to_the_internet.json | 2 +- .../windows_modification_of_boot_config.json | 2 +- .../windows_msxsl_network.json | 2 +- .../windows_net_command_system_account.json | 2 +- ..._persistence_via_application_shimming.json | 2 +- ...escalation_via_accessibility_features.json | 2 +- ...rocess_discovery_via_tasklist_command.json | 2 +- .../windows_rare_user_runas_event.json | 2 +- ...windows_rare_user_type10_remote_login.json | 2 +- ...er_program_connecting_to_the_internet.json | 2 +- .../windows_suspicious_pdf_reader.json | 2 +- .../windows_uac_bypass_event_viewer.json | 2 +- .../windows_whoami_command_activity.json | 2 +- 145 files changed, 999 insertions(+), 212 deletions(-) create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_iptables_or_firewall.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_syslog_service.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base16_or_base32_encoding_or_decoding_activity.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base64_encoding_or_decoding_activity.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_disable_selinux_attempt.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_deletion_via_shred.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_mod_writable_dir.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hex_encoding_or_decoding_activity.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_enumeration.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_removal.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_perl_tty_shell.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_python_tty_shell.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setgid_bit_set_via_chmod.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setuid_bit_set_via_chmod.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_sudoers_file_mod.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_external.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_internal.json create mode 100644 x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_virtual_machine_fingerprinting.json diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json index d4118d0686b11..73005db600ca0 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/403_response_to_a_post.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json index da27f0a71d281..de080ff342448 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/405_response_method_not_allowed.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json index c83c0e01d7fa0..ca97e9901975f 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_adversary_behavior_detected.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json index 03024ad15396e..11b9fa93f5f17 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_dumping_prevented.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json index e5a128029f585..ae4b59d101a3a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_detected.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json index 1c05743fae62f..2db3fbbde7547 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_cred_manipulation_prevented.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json index 3396a8563ba1c..a57d56cec9bcd 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_detected.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json index 2f70c539414c6..f8f1b774a191a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_exploit_prevented.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json index cbf6c286a439f..4024a50c3a0fe 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_detected.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json index 49c7c160e5daf..b21bd00229c04 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_malware_prevented.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json index e836bd037ddc5..1aba34f7b15c0 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_detected.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json index e9ac8d7ba6686..b383349b5e204 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_permission_theft_prevented.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json index 8e25832b0e89a..d7f5b24548344 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_detected.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json index a59428275ca22..a2595dee2f724 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_process_injection_prevented.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json index 22091d8c9b68f..9dd62717958e1 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_detected.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json index 947bfcbba39a0..cfa9ff6cca2ee 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security_ransomware_prevented.json @@ -17,4 +17,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json index 25d2232d3f6dc..b61a6236db565 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json index 3b4d2bc040217..8d455f501d2b2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json index 1c73d6c276ce6..d5e60ce3c10d9 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_clearing_windows_event_logs.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json index 0bfa18398eada..6f65a871fce77 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_delete_volume_usn_journal_with_fsutil.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json index e7293eda6390f..97029cebd665a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_deleting_backup_catalogs_with_wbadmin.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json index 2896d27e19112..8bbdc72573e0d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_direct_outbound_smb_connection.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json index 42fe51f4e0373..03af66f2cffb2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_disable_windows_firewall_rules_with_netsh.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json index eef112503da5b..aaca5242e717b 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_encoding_or_decoding_files_via_certutil.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json index dbacb2537e60f..7b674c270f884 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_scheduled_task_commands.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json index 648e83b4a5267..e842b732254ca 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_local_service_commands.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json index 5e8b260d44b55..f3d75c7fead8b 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_msbuild_making_network_connections.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json index 88bd248e258d8..eb2dd0eeff6ea 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_mshta_making_network_connections.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json index f763d2aa03363..2abf38eb1b0ef 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_psexec_lateral_movement_command.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json index 95c9c6b72f8f4..e234688a432e2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_office_child_process.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json index 7f6c9257fabfd..dcc5e5a095f12 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_suspicious_ms_outlook_child_process.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json index f1b1879fc2652..504c41f05871a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_system_shells_via_services.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json index 2a7960c939d01..c2be97f110a38 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_network_connection_via_rundll32.json @@ -5,7 +5,7 @@ ], "language": "kuery", "name": "Unusual Network Connection via RunDLL32", - "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)", + "query": "process.name:rundll32.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8)", "risk_score": 21, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "low", @@ -31,5 +31,5 @@ } ], "type": "query", - "version": 2 -} \ No newline at end of file + "version": 3 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json index 9a28c87c77089..ea87ce1aea81d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_parentchild_relationship.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json index 43a3d6f6af0b2..481768e76ee37 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_unusual_process_network_connection.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json index 7054e7f67c358..247a1cde22596 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_user_account_creation.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json index 24f1cb72504f3..700fd5215133d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_vssadmin.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json index bad3c65024e42..59222be6c598a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_volume_shadow_copy_deletion_via_wmic.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json index 52323b169cb22..27411e35ee828 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_windows_script_executing_powershell.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index 9e185b5a5ef7c..0a2317898e8a3 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -53,88 +53,105 @@ import rule43 from './linux_anomalous_network_service.json'; import rule44 from './linux_anomalous_network_url_activity.json'; import rule45 from './linux_anomalous_process_all_hosts.json'; import rule46 from './linux_anomalous_user_name.json'; -import rule47 from './linux_hping_activity.json'; -import rule48 from './linux_iodine_activity.json'; -import rule49 from './linux_kernel_module_activity.json'; -import rule50 from './linux_mknod_activity.json'; -import rule51 from './linux_netcat_network_connection.json'; -import rule52 from './linux_nmap_activity.json'; -import rule53 from './linux_nping_activity.json'; -import rule54 from './linux_process_started_in_temp_directory.json'; -import rule55 from './linux_shell_activity_by_web_server.json'; -import rule56 from './linux_socat_activity.json'; -import rule57 from './linux_strace_activity.json'; -import rule58 from './linux_tcpdump_activity.json'; -import rule59 from './linux_whoami_commmand.json'; -import rule60 from './network_dns_directly_to_the_internet.json'; -import rule61 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule62 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule63 from './network_nat_traversal_port_activity.json'; -import rule64 from './network_port_26_activity.json'; -import rule65 from './network_port_8000_activity_to_the_internet.json'; -import rule66 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule67 from './network_proxy_port_activity_to_the_internet.json'; -import rule68 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule69 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule70 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule71 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule72 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule73 from './network_smtp_to_the_internet.json'; -import rule74 from './network_sql_server_port_activity_to_the_internet.json'; -import rule75 from './network_ssh_secure_shell_from_the_internet.json'; -import rule76 from './network_ssh_secure_shell_to_the_internet.json'; -import rule77 from './network_telnet_port_activity.json'; -import rule78 from './network_tor_activity_to_the_internet.json'; -import rule79 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule80 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule81 from './null_user_agent.json'; -import rule82 from './packetbeat_dns_tunneling.json'; -import rule83 from './packetbeat_rare_dns_question.json'; -import rule84 from './packetbeat_rare_server_domain.json'; -import rule85 from './packetbeat_rare_urls.json'; -import rule86 from './packetbeat_rare_user_agent.json'; -import rule87 from './rare_process_by_host_linux.json'; -import rule88 from './rare_process_by_host_windows.json'; -import rule89 from './sqlmap_user_agent.json'; -import rule90 from './suspicious_login_activity.json'; -import rule91 from './windows_anomalous_network_activity.json'; -import rule92 from './windows_anomalous_path_activity.json'; -import rule93 from './windows_anomalous_process_all_hosts.json'; -import rule94 from './windows_anomalous_process_creation.json'; -import rule95 from './windows_anomalous_script.json'; -import rule96 from './windows_anomalous_service.json'; -import rule97 from './windows_anomalous_user_name.json'; -import rule98 from './windows_certutil_network_connection.json'; -import rule99 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule100 from './windows_command_shell_started_by_powershell.json'; -import rule101 from './windows_command_shell_started_by_svchost.json'; -import rule102 from './windows_credential_dumping_msbuild.json'; -import rule103 from './windows_cve_2020_0601.json'; -import rule104 from './windows_defense_evasion_via_filter_manager.json'; -import rule105 from './windows_execution_msbuild_started_by_office_app.json'; -import rule106 from './windows_execution_msbuild_started_by_script.json'; -import rule107 from './windows_execution_msbuild_started_by_system_process.json'; -import rule108 from './windows_execution_msbuild_started_renamed.json'; -import rule109 from './windows_execution_msbuild_started_unusal_process.json'; -import rule110 from './windows_execution_via_compiled_html_file.json'; -import rule111 from './windows_execution_via_net_com_assemblies.json'; -import rule112 from './windows_execution_via_trusted_developer_utilities.json'; -import rule113 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule114 from './windows_injection_msbuild.json'; -import rule115 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule116 from './windows_modification_of_boot_config.json'; -import rule117 from './windows_msxsl_network.json'; -import rule118 from './windows_net_command_system_account.json'; -import rule119 from './windows_persistence_via_application_shimming.json'; -import rule120 from './windows_priv_escalation_via_accessibility_features.json'; -import rule121 from './windows_process_discovery_via_tasklist_command.json'; -import rule122 from './windows_rare_user_runas_event.json'; -import rule123 from './windows_rare_user_type10_remote_login.json'; -import rule124 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule125 from './windows_suspicious_pdf_reader.json'; -import rule126 from './windows_uac_bypass_event_viewer.json'; -import rule127 from './windows_whoami_command_activity.json'; - +import rule47 from './linux_attempt_to_disable_iptables_or_firewall.json'; +import rule48 from './linux_attempt_to_disable_syslog_service.json'; +import rule49 from './linux_base16_or_base32_encoding_or_decoding_activity.json'; +import rule50 from './linux_base64_encoding_or_decoding_activity.json'; +import rule51 from './linux_disable_selinux_attempt.json'; +import rule52 from './linux_file_deletion_via_shred.json'; +import rule53 from './linux_file_mod_writable_dir.json'; +import rule54 from './linux_hex_encoding_or_decoding_activity.json'; +import rule55 from './linux_hping_activity.json'; +import rule56 from './linux_iodine_activity.json'; +import rule57 from './linux_kernel_module_activity.json'; +import rule58 from './linux_kernel_module_enumeration.json'; +import rule59 from './linux_kernel_module_removal.json'; +import rule60 from './linux_mknod_activity.json'; +import rule61 from './linux_netcat_network_connection.json'; +import rule62 from './linux_nmap_activity.json'; +import rule63 from './linux_nping_activity.json'; +import rule64 from './linux_perl_tty_shell.json'; +import rule65 from './linux_process_started_in_temp_directory.json'; +import rule66 from './linux_python_tty_shell.json'; +import rule67 from './linux_setgid_bit_set_via_chmod.json'; +import rule68 from './linux_setuid_bit_set_via_chmod.json'; +import rule69 from './linux_shell_activity_by_web_server.json'; +import rule70 from './linux_socat_activity.json'; +import rule71 from './linux_strace_activity.json'; +import rule72 from './linux_sudoers_file_mod.json'; +import rule73 from './linux_tcpdump_activity.json'; +import rule74 from './linux_telnet_network_activity_external.json'; +import rule75 from './linux_telnet_network_activity_internal.json'; +import rule76 from './linux_virtual_machine_fingerprinting.json'; +import rule77 from './linux_whoami_commmand.json'; +import rule78 from './network_dns_directly_to_the_internet.json'; +import rule79 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule80 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule81 from './network_nat_traversal_port_activity.json'; +import rule82 from './network_port_26_activity.json'; +import rule83 from './network_port_8000_activity_to_the_internet.json'; +import rule84 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule85 from './network_proxy_port_activity_to_the_internet.json'; +import rule86 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule87 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule88 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule89 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule90 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule91 from './network_smtp_to_the_internet.json'; +import rule92 from './network_sql_server_port_activity_to_the_internet.json'; +import rule93 from './network_ssh_secure_shell_from_the_internet.json'; +import rule94 from './network_ssh_secure_shell_to_the_internet.json'; +import rule95 from './network_telnet_port_activity.json'; +import rule96 from './network_tor_activity_to_the_internet.json'; +import rule97 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule98 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule99 from './null_user_agent.json'; +import rule100 from './packetbeat_dns_tunneling.json'; +import rule101 from './packetbeat_rare_dns_question.json'; +import rule102 from './packetbeat_rare_server_domain.json'; +import rule103 from './packetbeat_rare_urls.json'; +import rule104 from './packetbeat_rare_user_agent.json'; +import rule105 from './rare_process_by_host_linux.json'; +import rule106 from './rare_process_by_host_windows.json'; +import rule107 from './sqlmap_user_agent.json'; +import rule108 from './suspicious_login_activity.json'; +import rule109 from './windows_anomalous_network_activity.json'; +import rule110 from './windows_anomalous_path_activity.json'; +import rule111 from './windows_anomalous_process_all_hosts.json'; +import rule112 from './windows_anomalous_process_creation.json'; +import rule113 from './windows_anomalous_script.json'; +import rule114 from './windows_anomalous_service.json'; +import rule115 from './windows_anomalous_user_name.json'; +import rule116 from './windows_certutil_network_connection.json'; +import rule117 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule118 from './windows_command_shell_started_by_powershell.json'; +import rule119 from './windows_command_shell_started_by_svchost.json'; +import rule120 from './windows_credential_dumping_msbuild.json'; +import rule121 from './windows_cve_2020_0601.json'; +import rule122 from './windows_defense_evasion_via_filter_manager.json'; +import rule123 from './windows_execution_msbuild_started_by_office_app.json'; +import rule124 from './windows_execution_msbuild_started_by_script.json'; +import rule125 from './windows_execution_msbuild_started_by_system_process.json'; +import rule126 from './windows_execution_msbuild_started_renamed.json'; +import rule127 from './windows_execution_msbuild_started_unusal_process.json'; +import rule128 from './windows_execution_via_compiled_html_file.json'; +import rule129 from './windows_execution_via_net_com_assemblies.json'; +import rule130 from './windows_execution_via_trusted_developer_utilities.json'; +import rule131 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule132 from './windows_injection_msbuild.json'; +import rule133 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule134 from './windows_modification_of_boot_config.json'; +import rule135 from './windows_msxsl_network.json'; +import rule136 from './windows_net_command_system_account.json'; +import rule137 from './windows_persistence_via_application_shimming.json'; +import rule138 from './windows_priv_escalation_via_accessibility_features.json'; +import rule139 from './windows_process_discovery_via_tasklist_command.json'; +import rule140 from './windows_rare_user_runas_event.json'; +import rule141 from './windows_rare_user_type10_remote_login.json'; +import rule142 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule143 from './windows_suspicious_pdf_reader.json'; +import rule144 from './windows_uac_bypass_event_viewer.json'; +import rule145 from './windows_whoami_command_activity.json'; export const rawRules = [ rule1, rule2, @@ -263,4 +280,22 @@ export const rawRules = [ rule125, rule126, rule127, + rule128, + rule129, + rule130, + rule131, + rule132, + rule133, + rule134, + rule135, + rule136, + rule137, + rule138, + rule139, + rule140, + rule141, + rule142, + rule143, + rule144, + rule145, ]; diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json index 41f38173dba33..d910f83b0c8bd 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_activity.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "linux_anomalous_network_activity_ecs", "name": "Unusual Linux Network Activity", + "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "ML" ], "type": "machine_learning", - "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json index d435d4c10f05c..aa0d1cb125aed 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_port_activity.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json index 0b82ce99d0b7f..5d137b81d1314 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_service.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json index 26af34e18a4c8..3732e575a2e41 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_network_url_activity.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json index 103171bcdfe50..259f0147953ad 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_process_all_hosts.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "linux_anomalous_process_all_hosts_ecs", "name": "Anomalous Process For a Linux Population", + "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "ML" ], "type": "machine_learning", - "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json index 6642bb5d73fbd..2e7bd0d1d99d7 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_anomalous_user_name.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "linux_anomalous_user_name_ecs", "name": "Unusual Linux Username", + "note": "### Investigating an Unusual Linux User ###\nSignals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "ML" ], "type": "machine_learning", - "note": "### Investigating an Unusual Linux User ###\nSignals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_iptables_or_firewall.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_iptables_or_firewall.json new file mode 100644 index 0000000000000..77d0ddc22ff40 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_iptables_or_firewall.json @@ -0,0 +1,35 @@ +{ + "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Attempt to Disable IPTables or Firewall", + "query": "event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill))", + "risk_score": 47, + "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1089", + "name": "Disabling Security Tools", + "reference": "https://attack.mitre.org/techniques/T1089/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_syslog_service.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_syslog_service.json new file mode 100644 index 0000000000000..d4584035d53b4 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_syslog_service.json @@ -0,0 +1,35 @@ +{ + "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Attempt to Disable Syslog Service", + "query": "event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or \"syslog-ng\")", + "risk_score": 47, + "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1089", + "name": "Disabling Security Tools", + "reference": "https://attack.mitre.org/techniques/T1089/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base16_or_base32_encoding_or_decoding_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base16_or_base32_encoding_or_decoding_activity.json new file mode 100644 index 0000000000000..9518138ad6799 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base16_or_base32_encoding_or_decoding_activity.json @@ -0,0 +1,53 @@ +{ + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex)", + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base64_encoding_or_decoding_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base64_encoding_or_decoding_activity.json new file mode 100644 index 0000000000000..37f3e3eaccd90 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_base64_encoding_or_decoding_activity.json @@ -0,0 +1,53 @@ +{ + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Base64 Encoding/Decoding Activity", + "query": "event.action:(executed or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)", + "risk_score": 21, + "rule_id": "97f22dab-84e8-409d-955e-dacd1d31670b", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_disable_selinux_attempt.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_disable_selinux_attempt.json new file mode 100644 index 0000000000000..d33331cd4f8d4 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_disable_selinux_attempt.json @@ -0,0 +1,35 @@ +{ + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Potential Disabling of SELinux", + "query": "event.action:executed and process.name:setenforce and process.args:0", + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1089", + "name": "Disabling Security Tools", + "reference": "https://attack.mitre.org/techniques/T1089/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_deletion_via_shred.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_deletion_via_shred.json new file mode 100644 index 0000000000000..4fd72a212f0ba --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_deletion_via_shred.json @@ -0,0 +1,35 @@ +{ + "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "File Deletion via Shred", + "query": "event.action:(executed or process_started) and process.name:shred and process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")", + "risk_score": 21, + "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1107", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1107/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_mod_writable_dir.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_mod_writable_dir.json new file mode 100644 index 0000000000000..66c5848b17707 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_file_mod_writable_dir.json @@ -0,0 +1,38 @@ +{ + "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", + "false_positives": [ + "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "File Permission Modification in Writable Directory", + "query": "event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root", + "risk_score": 21, + "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hex_encoding_or_decoding_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hex_encoding_or_decoding_activity.json new file mode 100644 index 0000000000000..a67d310d2ad81 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hex_encoding_or_decoding_activity.json @@ -0,0 +1,53 @@ +{ + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Hex Encoding/Decoding Activity", + "query": "event.action:(executed or process_started) and process.name:(hex or xxd)", + "risk_score": 21, + "rule_id": "a9198571-b135-4a76-b055-e3e5a476fd83", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json index 04a56241ea6f6..bd954683723f4 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_hping_activity.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json index 80358cc775e3b..63b0155bbd82c 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json index b50fcc4c9980b..95fe337fbfd1b 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_activity.json @@ -38,4 +38,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_enumeration.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_enumeration.json new file mode 100644 index 0000000000000..85564506bcff9 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_enumeration.json @@ -0,0 +1,38 @@ +{ + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Enumeration of Kernel Modules", + "query": "event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))", + "risk_score": 47, + "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_removal.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_removal.json new file mode 100644 index 0000000000000..bb88a2acad53d --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_kernel_module_removal.json @@ -0,0 +1,56 @@ +{ + "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", + "false_positives": [ + "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Kernel Module Removal", + "query": "event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and (\"--remove\" or \"-r\"))", + "references": [ + "http://man7.org/linux/man-pages/man8/modprobe.8.html" + ], + "risk_score": 73, + "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1089", + "name": "Disabling Security Tools", + "reference": "https://attack.mitre.org/techniques/T1089/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1215", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1215/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json index d65440e95ff17..21208ade670ee 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_mknod_activity.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json index df8e46be7a1c3..caacef3b33deb 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json @@ -23,4 +23,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json index 2e5c899ebc625..99324460cc00a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nmap_activity.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json index 168b30121c4bb..b4d44c65cd89c 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_perl_tty_shell.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_perl_tty_shell.json new file mode 100644 index 0000000000000..2f003f8ec9d03 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_perl_tty_shell.json @@ -0,0 +1,35 @@ +{ + "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Interactive Terminal Spawned via Perl", + "query": "event.action:executed and process.name:perl and process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")", + "risk_score": 73, + "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json index 0865ac6c70cb2..c20a41ac91d02 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json @@ -18,4 +18,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_python_tty_shell.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_python_tty_shell.json new file mode 100644 index 0000000000000..42e014e919cad --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_python_tty_shell.json @@ -0,0 +1,35 @@ +{ + "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Interactive Terminal Spawned via Python", + "query": "event.action:executed and process.name:python and process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or \"import pty; pty.spawn(\\\"/bin/bash\\\")\")", + "risk_score": 73, + "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command-Line Interface", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setgid_bit_set_via_chmod.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setgid_bit_set_via_chmod.json new file mode 100644 index 0000000000000..c104330348596 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setgid_bit_set_via_chmod.json @@ -0,0 +1,51 @@ +{ + "description": "An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", + "index": [ + "auditbeat-*" + ], + "language": "lucene", + "max_signals": 33, + "name": "Setgid Bit Set via chmod", + "query": "event.action:(executed OR process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root", + "risk_score": 21, + "rule_id": "3a86e085-094c-412d-97ff-2439731e59cb", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1166", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1166/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1166", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1166/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setuid_bit_set_via_chmod.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setuid_bit_set_via_chmod.json new file mode 100644 index 0000000000000..72b62b67aa2d4 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_setuid_bit_set_via_chmod.json @@ -0,0 +1,51 @@ +{ + "description": "An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", + "index": [ + "auditbeat-*" + ], + "language": "lucene", + "max_signals": 33, + "name": "Setuid Bit Set via chmod", + "query": "event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root", + "risk_score": 21, + "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1166", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1166/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1166", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1166/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index e9c4c95bb9284..4d6000bda3b01 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -8,7 +8,7 @@ ], "language": "kuery", "name": "Potential Shell via Web Server", - "query": "process.name:bash and user.name:(apache or www or www-data) and event.action:executed", + "query": "process.name:(bash or dash) and user.name:(apache or nginx or www or \"www-data\") and event.action:executed", "references": [ "https://pentestlab.blog/tag/web-shell/" ], @@ -37,5 +37,5 @@ } ], "type": "query", - "version": 2 -} \ No newline at end of file + "version": 3 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json index 404fea63aff94..b0f9a19bfacaa 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_socat_activity.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index fbdfa9e66682d..9e449ebfdfd81 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_sudoers_file_mod.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_sudoers_file_mod.json new file mode 100644 index 0000000000000..3cb9259e92132 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_sudoers_file_mod.json @@ -0,0 +1,35 @@ +{ + "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Sudoers File Modification", + "query": "event.module:file_integrity and event.action:updated and file.path:/etc/sudoers", + "risk_score": 21, + "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", + "severity": "low", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1169", + "name": "Sudo", + "reference": "https://attack.mitre.org/techniques/T1169/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json index 82771074e7c29..b372645cc492a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_tcpdump_activity.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_external.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_external.json new file mode 100644 index 0000000000000..9f6b80b8bf1ef --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_external.json @@ -0,0 +1,38 @@ +{ + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Connection to External Network via Telnet", + "query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\" or \"::1/128\")", + "risk_score": 47, + "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_internal.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_internal.json new file mode 100644 index 0000000000000..a2e94f1d2d015 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_telnet_network_activity_internal.json @@ -0,0 +1,38 @@ +{ + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Connection to Internal Network via Telnet", + "query": "event.action:(\"connected-to\" or \"network_flow\") and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or \"FE80::/10\") and not (127.0.0.0/8 or \"::1/128\"))", + "risk_score": 47, + "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", + "severity": "medium", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_virtual_machine_fingerprinting.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_virtual_machine_fingerprinting.json new file mode 100644 index 0000000000000..28c4b6d6ee0e5 --- /dev/null +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_virtual_machine_fingerprinting.json @@ -0,0 +1,38 @@ +{ + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "index": [ + "auditbeat-*" + ], + "language": "kuery", + "name": "Virtual Machine Fingerprinting", + "query": "event.action:executed and process.args:(\"/sys/class/dmi/id/bios_version\" or \"/sys/class/dmi/id/product_name\" or \"/sys/class/dmi/id/chassis_vendor\" or \"/proc/scsi/scsi\" or \"/proc/ide/hd0/model\") and not user.name:root", + "risk_score": 73, + "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", + "severity": "high", + "tags": [ + "Elastic", + "Linux" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "query", + "version": 1 +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json index 7e7f041581eb0..e96c8dc3887e0 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_whoami_commmand.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json index e08d681d14463..1ffabbc876e2e 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_dns_directly_to_the_internet.json @@ -39,4 +39,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json index 24c3bad817227..0649d408a5c22 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ftp_file_transfer_protocol_activity_to_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json index bf286d4cab506..bdabfa4d5f38f 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_irc_internet_relay_chat_protocol_activity_to_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json index 61c1e3d47cf7a..63bdd2b83e3bc 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_nat_traversal_port_activity.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index a9a39b61884c5..df809d2225352 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -54,4 +54,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json index 2f1390411f97b..11b711d8f7464 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_8000_activity_to_the_internet.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json index f7170d8d33a51..87d37b77f53b4 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_pptp_point_to_point_tunneling_protocol_activity.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json index da4319cf15307..35ba1ca806296 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_proxy_port_activity_to_the_internet.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index d3b65a36f084b..7b0c9b2927cab 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -65,4 +65,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json index 79618a867c73f..17d00ebff4603 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_to_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index da1e46750f3bd..719d0e39e94cd 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json index d07d19b8fffee..a7791047cab26 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_to_the_internet.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index 93a4b0ebbbd8e..eca200e318c42 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json index ca287605490ef..c05efa1c0e26b 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smtp_to_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json index 3a5bd5bff98f5..5ed7ca4112015 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_sql_server_port_activity_to_the_internet.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json index 429a91183e88a..2bd9a3f63ee8c 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_from_the_internet.json @@ -65,4 +65,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json index a260245b4dade..6512a1627db89 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_ssh_secure_shell_to_the_internet.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json index 4cfe15683c825..af60c991ceea2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_telnet_port_activity.json @@ -65,4 +65,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json index 8c8bb809c9fec..ff2ead0eaaf49 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_tor_activity_to_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json index 4204a4fe62e88..7fac7938579ca 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_from_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json index 898282e36df19..0a620d355b9ae 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_vnc_virtual_network_computing_to_the_internet.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 3 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 01246de5595e9..489077c9a5516 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -39,4 +39,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json index 765515ffda27c..c5cf6385afaf0 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_dns_tunneling.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json index 79c30c5b38378..4623639b6e8b7 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_dns_question.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json index 7b14ad62f6c93..dd14191d30df2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_server_domain.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json index 76767545e794a..386e00054c2cc 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_urls.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json index 1dc49203f31c1..a68c43b228303 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/packetbeat_rare_user_agent.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json index 8ae1b84aaf199..9d9fb5e4a0a8d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_linux.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "rare_process_by_host_linux_ecs", "name": "Unusual Process For a Linux Host", + "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "ML" ], "type": "machine_learning", - "note": "### Investigating an Unusual Linux Process ###\nSignals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json index 879cee388f5dd..0c1d097a73dc2 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/rare_process_by_host_windows.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "rare_process_by_host_windows_ecs", "name": "Unusual Process For a Windows Host", + "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "Windows" ], "type": "machine_learning", - "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 10412c19da1b1..3ad82d14be7a7 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -21,4 +21,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json index 4b94fdc6da147..b3c3f2d76a8c9 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_login_activity.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json index 1092bcb20bcc3..0a85fee3de436 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_network_activity.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "windows_anomalous_network_activity_ecs", "name": "Unusual Windows Network Activity", + "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "Windows" ], "type": "machine_learning", - "note": "### Investigating Unusual Network Activity ###\nSignals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? \n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json index 8a88607b9d5c9..2652915d21d85 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_path_activity.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json index f9adfeb830618..4e70426a4faf8 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_all_hosts.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "windows_anomalous_process_all_hosts_ecs", "name": "Anomalous Process For a Windows Population", + "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "Windows" ], "type": "machine_learning", - "note": "### Investigating an Unusual Windows Process ###\nSignals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. \n- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json index 98a078ccea4a4..4742fd951f471 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_process_creation.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json index 564ca1782526f..bc38877a00ad0 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_script.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json index afef569f4ebb4..92c4b22823120 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_service.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json index a0c6ff5c938f1..9ad05eda8f518 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_anomalous_user_name.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "windows_anomalous_user_name_ecs", "name": "Unusual Windows Username", + "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "Windows" ], "type": "machine_learning", - "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json index 52a373e3aeb77..82db7de3d3130 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json index 2bee265a74e11..51fceacddb3c9 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_prompt_connecting_to_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json index d8f91dba7dd89..8e88549a44ada 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_powershell.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json index 6fd194ee2fa22..f36f853a8e760 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_command_shell_started_by_svchost.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json index 43050e2769a24..4ff7891438554 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json index f5eb37c70d268..b42427a912cbb 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json index 0e8c5a5f2f631..ba684c4d721ee 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_defense_evasion_via_filter_manager.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json index 72e02f8718d03..78f34c15bbd31 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_office_app.json @@ -53,4 +53,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json index ad519f1516aa6..3952a4680a523 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_script.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json index 1bbce904f2518..a2e29c3900144 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_by_system_process.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json index eea4b3b4efe10..1e63b259a86ec 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_renamed.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json index 81ea14e265388..117d5982421a4 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_msbuild_started_unusal_process.json @@ -38,4 +38,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json index 7755ff0233f7c..07c87531c4a4a 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_compiled_html_file.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json index d6acb81c10e3f..fb59cff68410e 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json index 87e38febb0743..202bfc6b46afc 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_trusted_developer_utilities.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json index 6c8cd0673256a..906995b3b6662 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_html_help_executable_program_connecting_to_the_internet.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json index c6310c12ed974..32a8f50c4b911 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_injection_msbuild.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json index a0e311d8eb154..361a3e99b4dbd 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_misc_lolbin_connecting_to_the_internet.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json index 045a9789b1260..66195acafa5cb 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json index e80dcde1e398d..735ae0b2d6a7b 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json index c2379142df002..b2770ac2383fd 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json index 2f44727f9e6f0..5b77fdb01a605 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_persistence_via_application_shimming.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json index aeff071ed4514..59ae2f6ad3bb8 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_priv_escalation_via_accessibility_features.json @@ -47,4 +47,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json index 3a883fa51b763..489c8a47561b5 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_process_discovery_via_tasklist_command.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json index febaa57443f76..a227b36064a9d 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_runas_event.json @@ -21,4 +21,4 @@ ], "type": "machine_learning", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json index 7318364c3aac2..15241d7869c00 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_rare_user_type10_remote_login.json @@ -8,6 +8,7 @@ "interval": "15m", "machine_learning_job_id": "windows_rare_user_type10_remote_login", "name": "Unusual Windows Remote User", + "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": [ "https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html" ], @@ -20,6 +21,5 @@ "Windows" ], "type": "machine_learning", - "note": "### Investigating an Unusual Windows User ###\nSignals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "version": 1 } diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json index 1e061f2ef9463..f6fc38f963640 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_register_server_program_connecting_to_the_internet.json @@ -50,4 +50,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json index 9d4c2438acfb9..6c2b167a76ee4 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_pdf_reader.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json index df7a6fe1285d1..1fb44f0c842de 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json @@ -32,4 +32,4 @@ ], "type": "query", "version": 1 -} \ No newline at end of file +} diff --git a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json index 93ce1f83dd64e..c01396dd51527 100644 --- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json +++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_whoami_command_activity.json @@ -35,4 +35,4 @@ ], "type": "query", "version": 2 -} \ No newline at end of file +}