[SIEM] Remove forgotten rules that weren't deleted (#64974)

* Remove stray rules that should've been deleted * Update rule.ts and tests * Remove deleted prebuilt rules from cypress ES archive (#1)
2020-05-04 11:07:09 -06:00 · 2020-05-04 11:07:09 -06:00 · 9db27dba56
parent 122450a4c8
commit 9db27dba56
6 changed files with 18 additions and 182 deletions
--- a/x-pack/plugins/siem/cypress/objects/rule.ts
+++ b/x-pack/plugins/siem/cypress/objects/rule.ts
@ -4,7 +4,7 @@
 * you may not use this file except in compliance with the Elastic License.
 */

-export const totalNumberOfPrebuiltRules = 130;
+export const totalNumberOfPrebuiltRules = 127;

 interface Mitre {
  tactic: string;
--- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts
+++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts
@ -118,25 +118,23 @@ import rule108 from './windows_execution_msbuild_started_renamed.json';
 import rule109 from './windows_execution_msbuild_started_unusal_process.json';
 import rule110 from './windows_execution_via_compiled_html_file.json';
 import rule111 from './windows_execution_via_net_com_assemblies.json';
-import rule112 from './windows_execution_via_regsvr32.json';
-import rule113 from './windows_execution_via_trusted_developer_utilities.json';
-import rule114 from './windows_html_help_executable_program_connecting_to_the_internet.json';
-import rule115 from './windows_injection_msbuild.json';
-import rule116 from './windows_misc_lolbin_connecting_to_the_internet.json';
-import rule117 from './windows_modification_of_boot_config.json';
-import rule118 from './windows_msxsl_network.json';
-import rule119 from './windows_net_command_system_account.json';
-import rule120 from './windows_persistence_via_application_shimming.json';
-import rule121 from './windows_priv_escalation_via_accessibility_features.json';
-import rule122 from './windows_process_discovery_via_tasklist_command.json';
-import rule123 from './windows_rare_user_runas_event.json';
-import rule124 from './windows_rare_user_type10_remote_login.json';
-import rule125 from './windows_register_server_program_connecting_to_the_internet.json';
-import rule126 from './windows_signed_binary_proxy_execution.json';
-import rule127 from './windows_suspicious_pdf_reader.json';
-import rule128 from './windows_suspicious_process_started_by_a_script.json';
-import rule129 from './windows_uac_bypass_event_viewer.json';
-import rule130 from './windows_whoami_command_activity.json';
+import rule112 from './windows_execution_via_trusted_developer_utilities.json';
+import rule113 from './windows_html_help_executable_program_connecting_to_the_internet.json';
+import rule114 from './windows_injection_msbuild.json';
+import rule115 from './windows_misc_lolbin_connecting_to_the_internet.json';
+import rule116 from './windows_modification_of_boot_config.json';
+import rule117 from './windows_msxsl_network.json';
+import rule118 from './windows_net_command_system_account.json';
+import rule119 from './windows_persistence_via_application_shimming.json';
+import rule120 from './windows_priv_escalation_via_accessibility_features.json';
+import rule121 from './windows_process_discovery_via_tasklist_command.json';
+import rule122 from './windows_rare_user_runas_event.json';
+import rule123 from './windows_rare_user_type10_remote_login.json';
+import rule124 from './windows_register_server_program_connecting_to_the_internet.json';
+import rule125 from './windows_suspicious_pdf_reader.json';
+import rule126 from './windows_uac_bypass_event_viewer.json';
+import rule127 from './windows_whoami_command_activity.json';
+
 export const rawRules = [
  rule1,
  rule2,
@ -265,7 +263,4 @@ export const rawRules = [
  rule125,
  rule126,
  rule127,
-  rule128,
-  rule129,
-  rule130,
 ];
--- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json
+++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_regsvr32.json
@ -1,51 +0,0 @@
-{
-  "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This may indicate a malicious scriptlet is being executed in the target process.",
-  "index": [
-    "winlogbeat-*"
-  ],
-  "language": "kuery",
-  "max_signals": 100,
-  "name": "Suspicious Script Object Execution",
-  "query": "event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)",
-  "risk_score": 21,
-  "rule_id": "b7333d08-be4b-4cb4-b81e-924ae37b3143",
-  "severity": "low",
-  "tags": [
-    "Elastic",
-    "Windows"
-  ],
-  "threat": [
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0005",
-        "name": "Defense Evasion",
-        "reference": "https://attack.mitre.org/tactics/TA0005/"
-      },
-      "technique": [
-        {
-          "id": "T1064",
-          "name": "Scripting",
-          "reference": "https://attack.mitre.org/techniques/T1064/"
-        }
-      ]
-    },
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0002",
-        "name": "Execution",
-        "reference": "https://attack.mitre.org/tactics/TA0002/"
-      },
-      "technique": [
-        {
-          "id": "T1064",
-          "name": "Scripting",
-          "reference": "https://attack.mitre.org/techniques/T1064/"
-        }
-      ]
-    }
-  ],
-  "type": "query",
-  "version": 1
-}
--- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json
+++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_signed_binary_proxy_execution.json
@ -1,54 +0,0 @@
-{
-  "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application whitelisting and signature validation.",
-  "false_positives": [
-    "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
-  ],
-  "index": [
-    "winlogbeat-*"
-  ],
-  "language": "kuery",
-  "max_signals": 100,
-  "name": "Execution via Signed Binary",
-  "query": "event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)",
-  "risk_score": 21,
-  "rule_id": "7edb573f-1f9b-4161-8c19-c7c383bb17f2",
-  "severity": "low",
-  "tags": [
-    "Elastic",
-    "Windows"
-  ],
-  "threat": [
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0005",
-        "name": "Defense Evasion",
-        "reference": "https://attack.mitre.org/tactics/TA0005/"
-      },
-      "technique": [
-        {
-          "id": "T1218",
-          "name": "Signed Binary Proxy Execution",
-          "reference": "https://attack.mitre.org/techniques/T1218/"
-        }
-      ]
-    },
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0002",
-        "name": "Execution",
-        "reference": "https://attack.mitre.org/tactics/TA0002/"
-      },
-      "technique": [
-        {
-          "id": "T1218",
-          "name": "Signed Binary Proxy Execution",
-          "reference": "https://attack.mitre.org/techniques/T1218/"
-        }
-      ]
-    }
-  ],
-  "type": "query",
-  "version": 1
-}
--- a/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json
+++ b/x-pack/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_suspicious_process_started_by_a_script.json
@ -1,54 +0,0 @@
-{
-  "description": "Identifies a suspicious process being spawned from a script interpreter, which could be indicative of a potential phishing attack.",
-  "false_positives": [
-    "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."
-  ],
-  "index": [
-    "winlogbeat-*"
-  ],
-  "language": "kuery",
-  "max_signals": 100,
-  "name": "Suspicious Process spawning from Script Interpreter",
-  "query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe) and event.code:1",
-  "risk_score": 21,
-  "rule_id": "89db767d-99f9-479f-8052-9205fd3090c4",
-  "severity": "low",
-  "tags": [
-    "Elastic",
-    "Windows"
-  ],
-  "threat": [
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0005",
-        "name": "Defense Evasion",
-        "reference": "https://attack.mitre.org/tactics/TA0005/"
-      },
-      "technique": [
-        {
-          "id": "T1064",
-          "name": "Scripting",
-          "reference": "https://attack.mitre.org/techniques/T1064/"
-        }
-      ]
-    },
-    {
-      "framework": "MITRE ATT&CK",
-      "tactic": {
-        "id": "TA0002",
-        "name": "Execution",
-        "reference": "https://attack.mitre.org/tactics/TA0002/"
-      },
-      "technique": [
-        {
-          "id": "T1064",
-          "name": "Scripting",
-          "reference": "https://attack.mitre.org/techniques/T1064/"
-        }
-      ]
-    }
-  ],
-  "type": "query",
-  "version": 1
-}
--- a/x-pack/test/siem_cypress/es_archives/prebuilt_rules_loaded/data.json.gz
+++ b/x-pack/test/siem_cypress/es_archives/prebuilt_rules_loaded/data.json.gz