maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

first rule cuts (#54990)

Browse source 
* rule cuts

first pass at rule cuts, 21 deelted rule files, no adds, no changes.

* Update index.ts

* index regen

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This commit is contained in:
The SpaceCake Project 2020-01-16 15:49:26 -05:00 committed by GitHub
parent 89e79aa422
commit bc69d6e604
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
37 changed files with 300 additions and 1492 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_internet_explorer.json
View file

@ -1,68 +0,0 @@
{
"description": "Command shell started by Internet Explorer",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "process.name",
"negate": false,
"params": {
"query": "cmd.exe"
},
"type": "phrase",
"value": "cmd.exe"
},
"query": {
"match": {
"process.name": {
"query": "cmd.exe",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "Process Create (rule: ProcessCreate)"
},
"type": "phrase",
"value": "Process Create (rule: ProcessCreate)"
},
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Command shell started by Internet Explorer",
"query": "process.parent.name:iexplore.exe",
"risk_score": 50,
"rule_id": "a0b554d2-85ed-4998-ada3-4ca58b508b35",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

68
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_powershell.json
View file

@ -1,68 +0,0 @@
{
"description": "Command shell started by Powershell",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "process.name",
"negate": false,
"params": {
"query": "cmd.exe"
},
"type": "phrase",
"value": "cmd.exe"
},
"query": {
"match": {
"process.name": {
"query": "cmd.exe",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "Process Create (rule: ProcessCreate)"
},
"type": "phrase",
"value": "Process Create (rule: ProcessCreate)"
},
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Command shell started by Powershell",
"query": "process.parent.name:powershell.exe",
"risk_score": 50,
"rule_id": "ab4bbfa5-4127-40bf-852f-bdc6afdb2a06",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

68
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/command_shell_started_by_svchost.json
View file

@ -1,68 +0,0 @@
{
"description": "Command shell started by Svchost",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "process.name",
"negate": false,
"params": {
"query": "cmd.exe"
},
"type": "phrase",
"value": "cmd.exe"
},
"query": {
"match": {
"process.name": {
"query": "cmd.exe",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "Process Create (rule: ProcessCreate)"
},
"type": "phrase",
"value": "Process Create (rule: ProcessCreate)"
},
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Command shell started by Svchost",
"query": "process.parent.name:svchost.exe",
"risk_score": 50,
"rule_id": "2e4f8a5e-ce68-44e0-9243-1f57d44c4f30",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_large_outbound_icmp_packets.json
View file

@ -1,17 +0,0 @@
{
"description": "Network - Detect Large Outbound ICMP Packets",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Network - Detect Large Outbound ICMP Packets",
"query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
"risk_score": 50,
"rule_id": "4fce2a7e-0e11-4f17-bae3-8873c5ae62be",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_detect_long_dns_txt_record_response.json
View file

@ -1,17 +0,0 @@
{
"description": "Network - Detect Long DNS TXT Record Response",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Network - Detect Long DNS TXT Record Response",
"query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53",
"risk_score": 50,
"rule_id": "cc28f445-318e-4850-8b0d-5ad53eaded74",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_network_protocols_passing_authentication_in_cleartext.json
View file

@ -1,17 +0,0 @@
{
"description": "Network - Protocols passing authentication in cleartext",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Network - Protocols passing authentication in cleartext",
"query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp",
"risk_score": 50,
"rule_id": "31f32b3c-415a-4a18-b60f-5748a337246b",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_child_processes_of_spoolsvexe.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - Child Processes of Spoolsv.exe",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - Child Processes of Spoolsv.exe",
"query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ",
"risk_score": 50,
"rule_id": "dcc45d35-f42e-4f97-81e8-90b0597ea0d1",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_new_local_admin_account.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - Detect New Local Admin account",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - Detect New Local Admin account",
"query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators",
"risk_score": 50,
"rule_id": "461db51b-b1a1-49de-ac63-e1bcbd445602",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_psexec_with_accepteula_flag.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - Detect PsExec With accepteula Flag",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - Detect PsExec With accepteula Flag",
"query": "process.name:PsExec.exe and process.args:\"-accepteula\"",
"risk_score": 50,
"rule_id": "304b0e0c-bd06-46f8-aeda-2e719ae434d1",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - Detect Use of cmd.exe to Launch Script Interpreters",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - Detect Use of cmd.exe to Launch Script Interpreters",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"",
"risk_score": 50,
"rule_id": "b17c215e-8fa5-4087-b8d1-87761a90d710",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_new_external_device.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - New External Device Attached",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - New External Device Attached",
"query": "event.code:6416",
"risk_score": 50,
"rule_id": "c0747553-5763-5d85-cd97-898f2daa2bde",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_created_by_netsh.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - Processes created by netsh",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - Processes created by netsh",
"query": "process.parent.name:netsh.exe",
"risk_score": 50,
"rule_id": "e312dd9e-4760-4a71-a241-9b9a835a51c4",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_processes_launching_netsh.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - Processes launching netsh",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - Processes launching netsh",
"query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ",
"risk_score": 50,
"rule_id": "3b8db8aa-5734-405e-8dda-703129078a35",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/ece_windows_windows_event_log_cleared.json
View file

@ -1,17 +0,0 @@
{
"description": "Windows - Windows Event Log Cleared",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Windows - Windows Event Log Cleared",
"query": "event.code:(1102 or 1100)",
"risk_score": 50,
"rule_id": "b94b5177-ca7f-468a-9a1d-aef39c30a3ae",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

672
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts
View file

@ -10,342 +10,306 @@
import rule1 from './403_response_to_a_post.json';
import rule2 from './405_response_method_not_allowed.json';
import rule3 from './500_response_on_admin_page.json';
import rule4 from './command_shell_started_by_internet_explorer.json';
import rule5 from './command_shell_started_by_powershell.json';
import rule6 from './command_shell_started_by_svchost.json';
import rule7 from './ece_network_detect_large_outbound_icmp_packets.json';
import rule8 from './ece_network_detect_long_dns_txt_record_response.json';
import rule9 from './ece_network_protocols_passing_authentication_in_cleartext.json';
import rule10 from './ece_windows_child_processes_of_spoolsvexe.json';
import rule11 from './ece_windows_detect_new_local_admin_account.json';
import rule12 from './ece_windows_detect_psexec_with_accepteula_flag.json';
import rule13 from './ece_windows_detect_use_of_cmdexe_to_launch_script_interpreters.json';
import rule14 from './ece_windows_new_external_device.json';
import rule15 from './ece_windows_processes_created_by_netsh.json';
import rule16 from './ece_windows_processes_launching_netsh.json';
import rule17 from './ece_windows_windows_event_log_cleared.json';
import rule18 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json';
import rule19 from './eql_adobe_hijack_persistence.json';
import rule20 from './eql_audio_capture_via_powershell.json';
import rule21 from './eql_audio_capture_via_soundrecorder.json';
import rule22 from './eql_bypass_uac_event_viewer.json';
import rule23 from './eql_bypass_uac_via_cmstp.json';
import rule24 from './eql_bypass_uac_via_sdclt.json';
import rule25 from './eql_clearing_windows_event_logs.json';
import rule26 from './eql_delete_volume_usn_journal_with_fsutil.json';
import rule27 from './eql_deleting_backup_catalogs_with_wbadmin.json';
import rule28 from './eql_direct_outbound_smb_connection.json';
import rule29 from './eql_disable_windows_firewall_rules_with_netsh.json';
import rule30 from './eql_dll_search_order_hijack.json';
import rule31 from './eql_encoding_or_decoding_files_via_certutil.json';
import rule32 from './eql_local_scheduled_task_commands.json';
import rule33 from './eql_local_service_commands.json';
import rule34 from './eql_modification_of_boot_configuration.json';
import rule35 from './eql_msbuild_making_network_connections.json';
import rule36 from './eql_mshta_making_network_connections.json';
import rule37 from './eql_msxsl_making_network_connections.json';
import rule38 from './eql_psexec_lateral_movement_command.json';
import rule39 from './eql_suspicious_ms_office_child_process.json';
import rule40 from './eql_suspicious_ms_outlook_child_process.json';
import rule41 from './eql_suspicious_pdf_reader_child_process.json';
import rule42 from './eql_system_shells_via_services.json';
import rule43 from './eql_unusual_network_connection_via_rundll32.json';
import rule44 from './eql_unusual_parentchild_relationship.json';
import rule45 from './eql_unusual_process_network_connection.json';
import rule46 from './eql_user_account_creation.json';
import rule47 from './eql_user_added_to_administrator_group.json';
import rule48 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
import rule49 from './eql_volume_shadow_copy_deletion_via_wmic.json';
import rule50 from './eql_windows_script_executing_powershell.json';
import rule51 from './eql_wmic_command_lateral_movement.json';
import rule52 from './linux_hping_activity.json';
import rule53 from './linux_iodine_activity.json';
import rule54 from './linux_java_process_connecting_to_the_internet.json';
import rule55 from './linux_kernel_module_activity.json';
import rule56 from './linux_ldso_process_activity.json';
import rule57 from './linux_lzop_activity.json';
import rule58 from './linux_lzop_activity_possible_julianrunnels.json';
import rule59 from './linux_mknod_activity.json';
import rule60 from './linux_netcat_network_connection.json';
import rule61 from './linux_network_anomalous_process_using_https_ports.json';
import rule62 from './linux_nmap_activity.json';
import rule63 from './linux_nping_activity.json';
import rule64 from './linux_process_started_in_temp_directory.json';
import rule65 from './linux_ptrace_activity.json';
import rule66 from './linux_rawshark_activity.json';
import rule67 from './linux_shell_activity_by_web_server.json';
import rule68 from './linux_socat_activity.json';
import rule69 from './linux_ssh_forwarding.json';
import rule70 from './linux_strace_activity.json';
import rule71 from './linux_tcpdump_activity.json';
import rule72 from './linux_unusual_shell_activity.json';
import rule73 from './linux_web_download.json';
import rule74 from './linux_whoami_commmand.json';
import rule75 from './network_dns_directly_to_the_internet.json';
import rule76 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
import rule77 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
import rule78 from './network_nat_traversal_port_activity.json';
import rule79 from './network_port_26_activity.json';
import rule80 from './network_port_8000_activity.json';
import rule81 from './network_port_8000_activity_to_the_internet.json';
import rule82 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
import rule83 from './network_proxy_port_activity_to_the_internet.json';
import rule84 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
import rule85 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
import rule86 from './network_rpc_remote_procedure_call_from_the_internet.json';
import rule87 from './network_rpc_remote_procedure_call_to_the_internet.json';
import rule88 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
import rule89 from './network_smtp_to_the_internet.json';
import rule90 from './network_sql_server_port_activity_to_the_internet.json';
import rule91 from './network_ssh_secure_shell_from_the_internet.json';
import rule92 from './network_ssh_secure_shell_to_the_internet.json';
import rule93 from './network_telnet_port_activity.json';
import rule94 from './network_tor_activity_to_the_internet.json';
import rule95 from './network_vnc_virtual_network_computing_from_the_internet.json';
import rule96 from './network_vnc_virtual_network_computing_to_the_internet.json';
import rule97 from './null_user_agent.json';
import rule98 from './powershell_network_connection.json';
import rule99 from './process_execution_via_wmi.json';
import rule100 from './process_started_by_acrobat_reader_possible_payload.json';
import rule101 from './process_started_by_ms_office_program_possible_payload.json';
import rule102 from './process_started_by_windows_defender.json';
import rule103 from './psexec_activity.json';
import rule104 from './search_windows_10.json';
import rule105 from './splunk_child_processes_of_spoolsvexe.json';
import rule106 from './splunk_detect_large_outbound_icmp_packets.json';
import rule107 from './splunk_detect_long_dns_txt_record_response.json';
import rule108 from './splunk_detect_new_local_admin_account.json';
import rule109 from './splunk_detect_psexec_with_accepteula_flag.json';
import rule110 from './splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json';
import rule111 from './splunk_processes_created_by_netsh.json';
import rule112 from './splunk_processes_launching_netsh.json';
import rule113 from './splunk_protocols_passing_authentication_in_cleartext.json';
import rule114 from './splunk_windows_event_log_cleared.json';
import rule115 from './sqlmap_user_agent.json';
import rule116 from './suricata_base64_encoded_invokecommand_powershell_execution.json';
import rule117 from './suricata_base64_encoded_newobject_powershell_execution.json';
import rule118 from './suricata_base64_encoded_startprocess_powershell_execution.json';
import rule119 from './suricata_category_a_suspicious_string_was_detected.json';
import rule120 from './suricata_category_attempted_administrator_privilege_gain.json';
import rule121 from './suricata_category_attempted_denial_of_service.json';
import rule122 from './suricata_category_attempted_information_leak.json';
import rule123 from './suricata_category_attempted_login_with_suspicious_username.json';
import rule124 from './suricata_category_attempted_user_privilege_gain.json';
import rule125 from './suricata_category_client_using_unusual_port.json';
import rule126 from './suricata_category_crypto_currency_mining_activity.json';
import rule127 from './suricata_category_decode_of_an_rpc_query.json';
import rule128 from './suricata_category_default_username_and_password_login_attempt.json';
import rule129 from './suricata_category_denial_of_service.json';
import rule130 from './suricata_category_denial_of_service_attack.json';
import rule131 from './suricata_category_executable_code_was_detected.json';
import rule132 from './suricata_category_exploit_kit_activity.json';
import rule133 from './suricata_category_external_ip_address_retrieval.json';
import rule134 from './suricata_category_generic_icmp_event.json';
import rule135 from './suricata_category_generic_protocol_command_decode.json';
import rule136 from './suricata_category_information_leak.json';
import rule137 from './suricata_category_large_scale_information_leak.json';
import rule138 from './suricata_category_malware_command_and_control_activity.json';
import rule139 from './suricata_category_misc_activity.json';
import rule140 from './suricata_category_misc_attack.json';
import rule141 from './suricata_category_network_scan_detected.json';
import rule142 from './suricata_category_network_trojan_detected.json';
import rule143 from './suricata_category_nonstandard_protocol_or_event.json';
import rule144 from './suricata_category_not_suspicious_traffic.json';
import rule145 from './suricata_category_observed_c2_domain.json';
import rule146 from './suricata_category_possible_social_engineering_attempted.json';
import rule147 from './suricata_category_possibly_unwanted_program.json';
import rule148 from './suricata_category_potential_corporate_privacy_violation.json';
import rule149 from './suricata_category_potentially_bad_traffic.json';
import rule150 from './suricata_category_potentially_vulnerable_web_application_access.json';
import rule151 from './suricata_category_successful_administrator_privilege_gain.json';
import rule152 from './suricata_category_successful_credential_theft.json';
import rule153 from './suricata_category_successful_user_privilege_gain.json';
import rule154 from './suricata_category_suspicious_filename_detected.json';
import rule155 from './suricata_category_system_call_detected.json';
import rule156 from './suricata_category_targeted_malicious_activity.json';
import rule157 from './suricata_category_tcp_connection_detected.json';
import rule158 from './suricata_category_unknown_traffic.json';
import rule159 from './suricata_category_unsuccessful_user_privilege_gain.json';
import rule160 from './suricata_category_web_application_attack.json';
import rule161 from './suricata_cobaltstrike_artifact_in_an_dns_request.json';
import rule162 from './suricata_commonly_abused_dns_domain_detected.json';
import rule163 from './suricata_directory_reversal_characters_in_an_http_request.json';
import rule164 from './suricata_directory_traversal_characters_in_an_http_request.json';
import rule165 from './suricata_directory_traversal_characters_in_http_response.json';
import rule166 from './suricata_directory_traversal_in_downloaded_zip_file.json';
import rule167 from './suricata_dns_traffic_on_unusual_tcp_port.json';
import rule168 from './suricata_dns_traffic_on_unusual_udp_port.json';
import rule169 from './suricata_double_encoded_characters_in_a_uri.json';
import rule170 from './suricata_double_encoded_characters_in_an_http_post.json';
import rule171 from './suricata_double_encoded_characters_in_http_request.json';
import rule172 from './suricata_eval_php_function_in_an_http_request.json';
import rule173 from './suricata_exploit_cve_2018_1000861.json';
import rule174 from './suricata_exploit_cve_2019_0227.json';
import rule175 from './suricata_exploit_cve_2019_0232.json';
import rule176 from './suricata_exploit_cve_2019_0604.json';
import rule177 from './suricata_exploit_cve_2019_0708.json';
import rule178 from './suricata_exploit_cve_2019_0752.json';
import rule179 from './suricata_exploit_cve_2019_1003000.json';
import rule180 from './suricata_exploit_cve_2019_10149.json';
import rule181 from './suricata_exploit_cve_2019_11043.json';
import rule182 from './suricata_exploit_cve_2019_11510.json';
import rule183 from './suricata_exploit_cve_2019_11580.json';
import rule184 from './suricata_exploit_cve_2019_11581.json';
import rule185 from './suricata_exploit_cve_2019_13450.json';
import rule186 from './suricata_exploit_cve_2019_13505.json';
import rule187 from './suricata_exploit_cve_2019_15107.json';
import rule188 from './suricata_exploit_cve_2019_15846.json';
import rule189 from './suricata_exploit_cve_2019_16072.json';
import rule190 from './suricata_exploit_cve_2019_1652.json';
import rule191 from './suricata_exploit_cve_2019_16662.json';
import rule192 from './suricata_exploit_cve_2019_16759.json';
import rule193 from './suricata_exploit_cve_2019_16928.json';
import rule194 from './suricata_exploit_cve_2019_17270.json';
import rule195 from './suricata_exploit_cve_2019_1821.json';
import rule196 from './suricata_exploit_cve_2019_19781.json';
import rule197 from './suricata_exploit_cve_2019_2618.json';
import rule198 from './suricata_exploit_cve_2019_2725.json';
import rule199 from './suricata_exploit_cve_2019_3396.json';
import rule200 from './suricata_exploit_cve_2019_3929.json';
import rule201 from './suricata_exploit_cve_2019_5533.json';
import rule202 from './suricata_exploit_cve_2019_6340.json';
import rule203 from './suricata_exploit_cve_2019_7256.json';
import rule204 from './suricata_exploit_cve_2019_9978.json';
import rule205 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json';
import rule206 from './suricata_http_traffic_on_unusual_port_internet_destination.json';
import rule207 from './suricata_imap_traffic_on_unusual_port_internet_destination.json';
import rule208 from './suricata_lazagne_artifact_in_an_http_post.json';
import rule209 from './suricata_mimikatz_artifacts_in_an_http_post.json';
import rule210 from './suricata_mimikatz_string_detected_in_http_response.json';
import rule211 from './suricata_nondns_traffic_on_tcp_port_53.json';
import rule212 from './suricata_nondns_traffic_on_udp_port_53.json';
import rule213 from './suricata_nonftp_traffic_on_port_21.json';
import rule214 from './suricata_nonhttp_traffic_on_tcp_port_80.json';
import rule215 from './suricata_nonimap_traffic_on_port_1443_imap.json';
import rule216 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json';
import rule217 from './suricata_nonssh_traffic_on_port_22.json';
import rule218 from './suricata_nontls_on_tls_port.json';
import rule219 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json';
import rule220 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json';
import rule221 from './suricata_rpc_traffic_on_http_ports.json';
import rule222 from './suricata_serialized_php_detected.json';
import rule223 from './suricata_shell_exec_php_function_in_an_http_post.json';
import rule224 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json';
import rule225 from './suricata_tls_traffic_on_unusual_port_internet_destination.json';
import rule226 from './suricata_windows_executable_served_by_jpeg_web_content.json';
import rule227 from './suspicious_process_started_by_a_script.json';
import rule228 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
import rule229 from './windows_burp_ce_activity.json';
import rule230 from './windows_certutil_connecting_to_the_internet.json';
import rule231 from './windows_command_prompt_connecting_to_the_internet.json';
import rule232 from './windows_command_shell_started_by_internet_explorer.json';
import rule233 from './windows_command_shell_started_by_powershell.json';
import rule234 from './windows_command_shell_started_by_svchost.json';
import rule235 from './windows_credential_dumping_commands.json';
import rule236 from './windows_credential_dumping_via_imageload.json';
import rule237 from './windows_credential_dumping_via_registry_save.json';
import rule238 from './windows_data_compression_using_powershell.json';
import rule239 from './windows_defense_evasion_decoding_using_certutil.json';
import rule240 from './windows_defense_evasion_or_persistence_via_hidden_files.json';
import rule241 from './windows_defense_evasion_via_filter_manager.json';
import rule242 from './windows_defense_evasion_via_windows_event_log_tools.json';
import rule243 from './windows_execution_via_compiled_html_file.json';
import rule244 from './windows_execution_via_connection_manager.json';
import rule245 from './windows_execution_via_microsoft_html_application_hta.json';
import rule246 from './windows_execution_via_net_com_assemblies.json';
import rule247 from './windows_execution_via_regsvr32.json';
import rule248 from './windows_execution_via_trusted_developer_utilities.json';
import rule249 from './windows_html_help_executable_program_connecting_to_the_internet.json';
import rule250 from './windows_image_load_from_a_temp_directory.json';
import rule251 from './windows_indirect_command_execution.json';
import rule252 from './windows_iodine_activity.json';
import rule253 from './windows_management_instrumentation_wmi_execution.json';
import rule254 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json';
import rule255 from './windows_mimikatz_activity.json';
import rule256 from './windows_misc_lolbin_connecting_to_the_internet.json';
import rule257 from './windows_net_command_activity_by_the_system_account.json';
import rule258 from './windows_net_user_command_activity.json';
import rule259 from './windows_netcat_activity.json';
import rule260 from './windows_netcat_network_activity.json';
import rule261 from './windows_network_anomalous_windows_process_using_https_ports.json';
import rule262 from './windows_nmap_activity.json';
import rule263 from './windows_nmap_scan_activity.json';
import rule264 from './windows_payload_obfuscation_via_certutil.json';
import rule265 from './windows_persistence_or_priv_escalation_via_hooking.json';
import rule266 from './windows_persistence_via_application_shimming.json';
import rule267 from './windows_persistence_via_bits_jobs.json';
import rule268 from './windows_persistence_via_modification_of_existing_service.json';
import rule269 from './windows_persistence_via_netshell_helper_dll.json';
import rule270 from './windows_powershell_connecting_to_the_internet.json';
import rule271 from './windows_priv_escalation_via_accessibility_features.json';
import rule272 from './windows_process_discovery_via_tasklist_command.json';
import rule273 from './windows_process_execution_via_wmi.json';
import rule274 from './windows_process_started_by_acrobat_reader_possible_payload.json';
import rule275 from './windows_process_started_by_ms_office_program_possible_payload.json';
import rule276 from './windows_process_started_by_the_java_runtime.json';
import rule277 from './windows_psexec_activity.json';
import rule278 from './windows_register_server_program_connecting_to_the_internet.json';
import rule279 from './windows_registry_query_local.json';
import rule280 from './windows_registry_query_network.json';
import rule281 from './windows_remote_management_execution.json';
import rule282 from './windows_scheduled_task_activity.json';
import rule283 from './windows_script_interpreter_connecting_to_the_internet.json';
import rule284 from './windows_signed_binary_proxy_execution.json';
import rule285 from './windows_signed_binary_proxy_execution_download.json';
import rule286 from './windows_suspicious_process_started_by_a_script.json';
import rule287 from './windows_whoami_command_activity.json';
import rule288 from './windows_windump_activity.json';
import rule289 from './windows_wireshark_activity.json';
import rule290 from './windump_activity.json';
import rule291 from './zeek_notice_capturelosstoo_much_loss.json';
import rule292 from './zeek_notice_conncontent_gap.json';
import rule293 from './zeek_notice_connretransmission_inconsistency.json';
import rule294 from './zeek_notice_dnsexternal_name.json';
import rule295 from './zeek_notice_ftpbruteforcing.json';
import rule296 from './zeek_notice_ftpsite_exec_success.json';
import rule297 from './zeek_notice_heartbleedssl_heartbeat_attack.json';
import rule298 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json';
import rule299 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json';
import rule300 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json';
import rule301 from './zeek_notice_httpsql_injection_attacker.json';
import rule302 from './zeek_notice_httpsql_injection_victim.json';
import rule303 from './zeek_notice_intelnotice.json';
import rule304 from './zeek_notice_noticetally.json';
import rule305 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json';
import rule306 from './zeek_notice_packetfiltercompile_failure.json';
import rule307 from './zeek_notice_packetfilterdropped_packets.json';
import rule308 from './zeek_notice_packetfilterinstall_failure.json';
import rule309 from './zeek_notice_packetfilterno_more_conn_shunts_available.json';
import rule310 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json';
import rule311 from './zeek_notice_protocoldetectorprotocol_found.json';
import rule312 from './zeek_notice_protocoldetectorserver_found.json';
import rule313 from './zeek_notice_scanaddress_scan.json';
import rule314 from './zeek_notice_scanport_scan.json';
import rule315 from './zeek_notice_signaturescount_signature.json';
import rule316 from './zeek_notice_signaturesmultiple_sig_responders.json';
import rule317 from './zeek_notice_signaturesmultiple_signatures.json';
import rule318 from './zeek_notice_signaturessensitive_signature.json';
import rule319 from './zeek_notice_signaturessignature_summary.json';
import rule320 from './zeek_notice_smtpblocklist_blocked_host.json';
import rule321 from './zeek_notice_smtpblocklist_error_message.json';
import rule322 from './zeek_notice_smtpsuspicious_origination.json';
import rule323 from './zeek_notice_softwaresoftware_version_change.json';
import rule324 from './zeek_notice_softwarevulnerable_version.json';
import rule325 from './zeek_notice_sshinteresting_hostname_login.json';
import rule326 from './zeek_notice_sshlogin_by_password_guesser.json';
import rule327 from './zeek_notice_sshpassword_guessing.json';
import rule328 from './zeek_notice_sshwatched_country_login.json';
import rule329 from './zeek_notice_sslcertificate_expired.json';
import rule330 from './zeek_notice_sslcertificate_expires_soon.json';
import rule331 from './zeek_notice_sslcertificate_not_valid_yet.json';
import rule332 from './zeek_notice_sslinvalid_ocsp_response.json';
import rule333 from './zeek_notice_sslinvalid_server_cert.json';
import rule334 from './zeek_notice_sslold_version.json';
import rule335 from './zeek_notice_sslweak_cipher.json';
import rule336 from './zeek_notice_sslweak_key.json';
import rule337 from './zeek_notice_teamcymrumalwarehashregistrymatch.json';
import rule338 from './zeek_notice_traceroutedetected.json';
import rule339 from './zeek_notice_weirdactivity.json';
import rule4 from './eql_adding_the_hidden_file_attribute_with_via_attribexe.json';
import rule5 from './eql_adobe_hijack_persistence.json';
import rule6 from './eql_audio_capture_via_powershell.json';
import rule7 from './eql_audio_capture_via_soundrecorder.json';
import rule8 from './eql_bypass_uac_event_viewer.json';
import rule9 from './eql_bypass_uac_via_cmstp.json';
import rule10 from './eql_bypass_uac_via_sdclt.json';
import rule11 from './eql_clearing_windows_event_logs.json';
import rule12 from './eql_delete_volume_usn_journal_with_fsutil.json';
import rule13 from './eql_deleting_backup_catalogs_with_wbadmin.json';
import rule14 from './eql_direct_outbound_smb_connection.json';
import rule15 from './eql_disable_windows_firewall_rules_with_netsh.json';
import rule16 from './eql_dll_search_order_hijack.json';
import rule17 from './eql_encoding_or_decoding_files_via_certutil.json';
import rule18 from './eql_local_scheduled_task_commands.json';
import rule19 from './eql_local_service_commands.json';
import rule20 from './eql_modification_of_boot_configuration.json';
import rule21 from './eql_msbuild_making_network_connections.json';
import rule22 from './eql_mshta_making_network_connections.json';
import rule23 from './eql_msxsl_making_network_connections.json';
import rule24 from './eql_psexec_lateral_movement_command.json';
import rule25 from './eql_suspicious_ms_office_child_process.json';
import rule26 from './eql_suspicious_ms_outlook_child_process.json';
import rule27 from './eql_suspicious_pdf_reader_child_process.json';
import rule28 from './eql_system_shells_via_services.json';
import rule29 from './eql_unusual_network_connection_via_rundll32.json';
import rule30 from './eql_unusual_parentchild_relationship.json';
import rule31 from './eql_unusual_process_network_connection.json';
import rule32 from './eql_user_account_creation.json';
import rule33 from './eql_user_added_to_administrator_group.json';
import rule34 from './eql_volume_shadow_copy_deletion_via_vssadmin.json';
import rule35 from './eql_volume_shadow_copy_deletion_via_wmic.json';
import rule36 from './eql_windows_script_executing_powershell.json';
import rule37 from './eql_wmic_command_lateral_movement.json';
import rule38 from './linux_hping_activity.json';
import rule39 from './linux_iodine_activity.json';
import rule40 from './linux_kernel_module_activity.json';
import rule41 from './linux_ldso_process_activity.json';
import rule42 from './linux_lzop_activity.json';
import rule43 from './linux_mknod_activity.json';
import rule44 from './linux_netcat_network_connection.json';
import rule45 from './linux_network_anomalous_process_using_https_ports.json';
import rule46 from './linux_nmap_activity.json';
import rule47 from './linux_nping_activity.json';
import rule48 from './linux_process_started_in_temp_directory.json';
import rule49 from './linux_ptrace_activity.json';
import rule50 from './linux_rawshark_activity.json';
import rule51 from './linux_shell_activity_by_web_server.json';
import rule52 from './linux_socat_activity.json';
import rule53 from './linux_ssh_forwarding.json';
import rule54 from './linux_strace_activity.json';
import rule55 from './linux_tcpdump_activity.json';
import rule56 from './linux_web_download.json';
import rule57 from './linux_whoami_commmand.json';
import rule58 from './network_dns_directly_to_the_internet.json';
import rule59 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json';
import rule60 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json';
import rule61 from './network_nat_traversal_port_activity.json';
import rule62 from './network_port_26_activity.json';
import rule63 from './network_port_8000_activity.json';
import rule64 from './network_port_8000_activity_to_the_internet.json';
import rule65 from './network_pptp_point_to_point_tunneling_protocol_activity.json';
import rule66 from './network_proxy_port_activity_to_the_internet.json';
import rule67 from './network_rdp_remote_desktop_protocol_from_the_internet.json';
import rule68 from './network_rdp_remote_desktop_protocol_to_the_internet.json';
import rule69 from './network_rpc_remote_procedure_call_from_the_internet.json';
import rule70 from './network_rpc_remote_procedure_call_to_the_internet.json';
import rule71 from './network_smb_windows_file_sharing_activity_to_the_internet.json';
import rule72 from './network_smtp_to_the_internet.json';
import rule73 from './network_sql_server_port_activity_to_the_internet.json';
import rule74 from './network_ssh_secure_shell_from_the_internet.json';
import rule75 from './network_ssh_secure_shell_to_the_internet.json';
import rule76 from './network_telnet_port_activity.json';
import rule77 from './network_tor_activity_to_the_internet.json';
import rule78 from './network_vnc_virtual_network_computing_from_the_internet.json';
import rule79 from './network_vnc_virtual_network_computing_to_the_internet.json';
import rule80 from './null_user_agent.json';
import rule81 from './sqlmap_user_agent.json';
import rule82 from './suricata_base64_encoded_invokecommand_powershell_execution.json';
import rule83 from './suricata_base64_encoded_newobject_powershell_execution.json';
import rule84 from './suricata_base64_encoded_startprocess_powershell_execution.json';
import rule85 from './suricata_category_a_suspicious_string_was_detected.json';
import rule86 from './suricata_category_attempted_administrator_privilege_gain.json';
import rule87 from './suricata_category_attempted_denial_of_service.json';
import rule88 from './suricata_category_attempted_information_leak.json';
import rule89 from './suricata_category_attempted_login_with_suspicious_username.json';
import rule90 from './suricata_category_attempted_user_privilege_gain.json';
import rule91 from './suricata_category_client_using_unusual_port.json';
import rule92 from './suricata_category_crypto_currency_mining_activity.json';
import rule93 from './suricata_category_decode_of_an_rpc_query.json';
import rule94 from './suricata_category_default_username_and_password_login_attempt.json';
import rule95 from './suricata_category_denial_of_service.json';
import rule96 from './suricata_category_denial_of_service_attack.json';
import rule97 from './suricata_category_executable_code_was_detected.json';
import rule98 from './suricata_category_exploit_kit_activity.json';
import rule99 from './suricata_category_external_ip_address_retrieval.json';
import rule100 from './suricata_category_generic_icmp_event.json';
import rule101 from './suricata_category_generic_protocol_command_decode.json';
import rule102 from './suricata_category_information_leak.json';
import rule103 from './suricata_category_large_scale_information_leak.json';
import rule104 from './suricata_category_malware_command_and_control_activity.json';
import rule105 from './suricata_category_misc_activity.json';
import rule106 from './suricata_category_misc_attack.json';
import rule107 from './suricata_category_network_scan_detected.json';
import rule108 from './suricata_category_network_trojan_detected.json';
import rule109 from './suricata_category_nonstandard_protocol_or_event.json';
import rule110 from './suricata_category_not_suspicious_traffic.json';
import rule111 from './suricata_category_observed_c2_domain.json';
import rule112 from './suricata_category_possible_social_engineering_attempted.json';
import rule113 from './suricata_category_possibly_unwanted_program.json';
import rule114 from './suricata_category_potential_corporate_privacy_violation.json';
import rule115 from './suricata_category_potentially_bad_traffic.json';
import rule116 from './suricata_category_potentially_vulnerable_web_application_access.json';
import rule117 from './suricata_category_successful_administrator_privilege_gain.json';
import rule118 from './suricata_category_successful_credential_theft.json';
import rule119 from './suricata_category_successful_user_privilege_gain.json';
import rule120 from './suricata_category_suspicious_filename_detected.json';
import rule121 from './suricata_category_system_call_detected.json';
import rule122 from './suricata_category_targeted_malicious_activity.json';
import rule123 from './suricata_category_tcp_connection_detected.json';
import rule124 from './suricata_category_unknown_traffic.json';
import rule125 from './suricata_category_unsuccessful_user_privilege_gain.json';
import rule126 from './suricata_category_web_application_attack.json';
import rule127 from './suricata_cobaltstrike_artifact_in_an_dns_request.json';
import rule128 from './suricata_commonly_abused_dns_domain_detected.json';
import rule129 from './suricata_directory_reversal_characters_in_an_http_request.json';
import rule130 from './suricata_directory_traversal_characters_in_an_http_request.json';
import rule131 from './suricata_directory_traversal_characters_in_http_response.json';
import rule132 from './suricata_directory_traversal_in_downloaded_zip_file.json';
import rule133 from './suricata_dns_traffic_on_unusual_tcp_port.json';
import rule134 from './suricata_dns_traffic_on_unusual_udp_port.json';
import rule135 from './suricata_double_encoded_characters_in_a_uri.json';
import rule136 from './suricata_double_encoded_characters_in_an_http_post.json';
import rule137 from './suricata_double_encoded_characters_in_http_request.json';
import rule138 from './suricata_eval_php_function_in_an_http_request.json';
import rule139 from './suricata_exploit_cve_2018_1000861.json';
import rule140 from './suricata_exploit_cve_2019_0227.json';
import rule141 from './suricata_exploit_cve_2019_0232.json';
import rule142 from './suricata_exploit_cve_2019_0604.json';
import rule143 from './suricata_exploit_cve_2019_0708.json';
import rule144 from './suricata_exploit_cve_2019_0752.json';
import rule145 from './suricata_exploit_cve_2019_1003000.json';
import rule146 from './suricata_exploit_cve_2019_10149.json';
import rule147 from './suricata_exploit_cve_2019_11043.json';
import rule148 from './suricata_exploit_cve_2019_11510.json';
import rule149 from './suricata_exploit_cve_2019_11580.json';
import rule150 from './suricata_exploit_cve_2019_11581.json';
import rule151 from './suricata_exploit_cve_2019_13450.json';
import rule152 from './suricata_exploit_cve_2019_13505.json';
import rule153 from './suricata_exploit_cve_2019_15107.json';
import rule154 from './suricata_exploit_cve_2019_15846.json';
import rule155 from './suricata_exploit_cve_2019_16072.json';
import rule156 from './suricata_exploit_cve_2019_1652.json';
import rule157 from './suricata_exploit_cve_2019_16662.json';
import rule158 from './suricata_exploit_cve_2019_16759.json';
import rule159 from './suricata_exploit_cve_2019_16928.json';
import rule160 from './suricata_exploit_cve_2019_17270.json';
import rule161 from './suricata_exploit_cve_2019_1821.json';
import rule162 from './suricata_exploit_cve_2019_19781.json';
import rule163 from './suricata_exploit_cve_2019_2618.json';
import rule164 from './suricata_exploit_cve_2019_2725.json';
import rule165 from './suricata_exploit_cve_2019_3396.json';
import rule166 from './suricata_exploit_cve_2019_3929.json';
import rule167 from './suricata_exploit_cve_2019_5533.json';
import rule168 from './suricata_exploit_cve_2019_6340.json';
import rule169 from './suricata_exploit_cve_2019_7256.json';
import rule170 from './suricata_exploit_cve_2019_9978.json';
import rule171 from './suricata_ftp_traffic_on_unusual_port_internet_destination.json';
import rule172 from './suricata_http_traffic_on_unusual_port_internet_destination.json';
import rule173 from './suricata_imap_traffic_on_unusual_port_internet_destination.json';
import rule174 from './suricata_lazagne_artifact_in_an_http_post.json';
import rule175 from './suricata_mimikatz_artifacts_in_an_http_post.json';
import rule176 from './suricata_mimikatz_string_detected_in_http_response.json';
import rule177 from './suricata_nondns_traffic_on_tcp_port_53.json';
import rule178 from './suricata_nondns_traffic_on_udp_port_53.json';
import rule179 from './suricata_nonftp_traffic_on_port_21.json';
import rule180 from './suricata_nonhttp_traffic_on_tcp_port_80.json';
import rule181 from './suricata_nonimap_traffic_on_port_1443_imap.json';
import rule182 from './suricata_nonsmb_traffic_on_tcp_port_139_smb.json';
import rule183 from './suricata_nonssh_traffic_on_port_22.json';
import rule184 from './suricata_nontls_on_tls_port.json';
import rule185 from './suricata_possible_cobalt_strike_malleable_c2_null_response.json';
import rule186 from './suricata_possible_sql_injection_sql_commands_in_http_transactions.json';
import rule187 from './suricata_rpc_traffic_on_http_ports.json';
import rule188 from './suricata_serialized_php_detected.json';
import rule189 from './suricata_shell_exec_php_function_in_an_http_post.json';
import rule190 from './suricata_ssh_traffic_not_on_port_22_internet_destination.json';
import rule191 from './suricata_tls_traffic_on_unusual_port_internet_destination.json';
import rule192 from './suricata_windows_executable_served_by_jpeg_web_content.json';
import rule193 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json';
import rule194 from './windows_burp_ce_activity.json';
import rule195 from './windows_certutil_connecting_to_the_internet.json';
import rule196 from './windows_command_prompt_connecting_to_the_internet.json';
import rule197 from './windows_command_shell_started_by_internet_explorer.json';
import rule198 from './windows_command_shell_started_by_powershell.json';
import rule199 from './windows_command_shell_started_by_svchost.json';
import rule200 from './windows_credential_dumping_commands.json';
import rule201 from './windows_credential_dumping_via_imageload.json';
import rule202 from './windows_credential_dumping_via_registry_save.json';
import rule203 from './windows_data_compression_using_powershell.json';
import rule204 from './windows_defense_evasion_decoding_using_certutil.json';
import rule205 from './windows_defense_evasion_or_persistence_via_hidden_files.json';
import rule206 from './windows_defense_evasion_via_filter_manager.json';
import rule207 from './windows_defense_evasion_via_windows_event_log_tools.json';
import rule208 from './windows_execution_via_compiled_html_file.json';
import rule209 from './windows_execution_via_connection_manager.json';
import rule210 from './windows_execution_via_microsoft_html_application_hta.json';
import rule211 from './windows_execution_via_net_com_assemblies.json';
import rule212 from './windows_execution_via_regsvr32.json';
import rule213 from './windows_execution_via_trusted_developer_utilities.json';
import rule214 from './windows_html_help_executable_program_connecting_to_the_internet.json';
import rule215 from './windows_image_load_from_a_temp_directory.json';
import rule216 from './windows_indirect_command_execution.json';
import rule217 from './windows_iodine_activity.json';
import rule218 from './windows_management_instrumentation_wmi_execution.json';
import rule219 from './windows_microsoft_html_application_hta_connecting_to_the_internet.json';
import rule220 from './windows_mimikatz_activity.json';
import rule221 from './windows_misc_lolbin_connecting_to_the_internet.json';
import rule222 from './windows_net_command_activity_by_the_system_account.json';
import rule223 from './windows_net_user_command_activity.json';
import rule224 from './windows_netcat_activity.json';
import rule225 from './windows_netcat_network_activity.json';
import rule226 from './windows_network_anomalous_windows_process_using_https_ports.json';
import rule227 from './windows_nmap_activity.json';
import rule228 from './windows_nmap_scan_activity.json';
import rule229 from './windows_payload_obfuscation_via_certutil.json';
import rule230 from './windows_persistence_or_priv_escalation_via_hooking.json';
import rule231 from './windows_persistence_via_application_shimming.json';
import rule232 from './windows_persistence_via_bits_jobs.json';
import rule233 from './windows_persistence_via_modification_of_existing_service.json';
import rule234 from './windows_persistence_via_netshell_helper_dll.json';
import rule235 from './windows_powershell_connecting_to_the_internet.json';
import rule236 from './windows_priv_escalation_via_accessibility_features.json';
import rule237 from './windows_process_discovery_via_tasklist_command.json';
import rule238 from './windows_process_execution_via_wmi.json';
import rule239 from './windows_process_started_by_acrobat_reader_possible_payload.json';
import rule240 from './windows_process_started_by_ms_office_program_possible_payload.json';
import rule241 from './windows_process_started_by_the_java_runtime.json';
import rule242 from './windows_psexec_activity.json';
import rule243 from './windows_register_server_program_connecting_to_the_internet.json';
import rule244 from './windows_registry_query_local.json';
import rule245 from './windows_registry_query_network.json';
import rule246 from './windows_remote_management_execution.json';
import rule247 from './windows_scheduled_task_activity.json';
import rule248 from './windows_script_interpreter_connecting_to_the_internet.json';
import rule249 from './windows_signed_binary_proxy_execution.json';
import rule250 from './windows_signed_binary_proxy_execution_download.json';
import rule251 from './windows_suspicious_process_started_by_a_script.json';
import rule252 from './windows_whoami_command_activity.json';
import rule253 from './windows_windump_activity.json';
import rule254 from './windows_wireshark_activity.json';
import rule255 from './zeek_notice_capturelosstoo_much_loss.json';
import rule256 from './zeek_notice_conncontent_gap.json';
import rule257 from './zeek_notice_connretransmission_inconsistency.json';
import rule258 from './zeek_notice_dnsexternal_name.json';
import rule259 from './zeek_notice_ftpbruteforcing.json';
import rule260 from './zeek_notice_ftpsite_exec_success.json';
import rule261 from './zeek_notice_heartbleedssl_heartbeat_attack.json';
import rule262 from './zeek_notice_heartbleedssl_heartbeat_attack_success.json';
import rule263 from './zeek_notice_heartbleedssl_heartbeat_many_requests.json';
import rule264 from './zeek_notice_heartbleedssl_heartbeat_odd_length.json';
import rule265 from './zeek_notice_httpsql_injection_attacker.json';
import rule266 from './zeek_notice_httpsql_injection_victim.json';
import rule267 from './zeek_notice_intelnotice.json';
import rule268 from './zeek_notice_noticetally.json';
import rule269 from './zeek_notice_packetfiltercannot_bpf_shunt_conn.json';
import rule270 from './zeek_notice_packetfiltercompile_failure.json';
import rule271 from './zeek_notice_packetfilterdropped_packets.json';
import rule272 from './zeek_notice_packetfilterinstall_failure.json';
import rule273 from './zeek_notice_packetfilterno_more_conn_shunts_available.json';
import rule274 from './zeek_notice_packetfiltertoo_long_to_compile_filter.json';
import rule275 from './zeek_notice_protocoldetectorprotocol_found.json';
import rule276 from './zeek_notice_protocoldetectorserver_found.json';
import rule277 from './zeek_notice_scanaddress_scan.json';
import rule278 from './zeek_notice_scanport_scan.json';
import rule279 from './zeek_notice_signaturescount_signature.json';
import rule280 from './zeek_notice_signaturesmultiple_sig_responders.json';
import rule281 from './zeek_notice_signaturesmultiple_signatures.json';
import rule282 from './zeek_notice_signaturessensitive_signature.json';
import rule283 from './zeek_notice_signaturessignature_summary.json';
import rule284 from './zeek_notice_smtpblocklist_blocked_host.json';
import rule285 from './zeek_notice_smtpblocklist_error_message.json';
import rule286 from './zeek_notice_smtpsuspicious_origination.json';
import rule287 from './zeek_notice_softwaresoftware_version_change.json';
import rule288 from './zeek_notice_softwarevulnerable_version.json';
import rule289 from './zeek_notice_sshinteresting_hostname_login.json';
import rule290 from './zeek_notice_sshlogin_by_password_guesser.json';
import rule291 from './zeek_notice_sshpassword_guessing.json';
import rule292 from './zeek_notice_sshwatched_country_login.json';
import rule293 from './zeek_notice_sslcertificate_expired.json';
import rule294 from './zeek_notice_sslcertificate_expires_soon.json';
import rule295 from './zeek_notice_sslcertificate_not_valid_yet.json';
import rule296 from './zeek_notice_sslinvalid_ocsp_response.json';
import rule297 from './zeek_notice_sslinvalid_server_cert.json';
import rule298 from './zeek_notice_sslold_version.json';
import rule299 from './zeek_notice_sslweak_cipher.json';
import rule300 from './zeek_notice_sslweak_key.json';
import rule301 from './zeek_notice_teamcymrumalwarehashregistrymatch.json';
import rule302 from './zeek_notice_traceroutedetected.json';
import rule303 from './zeek_notice_weirdactivity.json';
export const rawRules = [
rule1,
rule2,
@ -650,40 +614,4 @@ export const rawRules = [
rule301,
rule302,
rule303,
rule304,
rule305,
rule306,
rule307,
rule308,
rule309,
rule310,
rule311,
rule312,
rule313,
rule314,
rule315,
rule316,
rule317,
rule318,
rule319,
rule320,
rule321,
rule322,
rule323,
rule324,
rule325,
rule326,
rule327,
rule328,
rule329,
rule330,
rule331,
rule332,
rule333,
rule334,
rule335,
rule336,
rule337,
rule338,
rule339,
];

118
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_java_process_connecting_to_the_internet.json
View file

@ -1,118 +0,0 @@
{
"description": "Linux: Java Process Connecting to the Internet",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "process.name",
"negate": false,
"params": {
"query": "java"
},
"type": "phrase",
"value": "java"
},
"query": {
"match": {
"process.name": {
"query": "java",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "socket_opened"
},
"type": "phrase",
"value": "socket_opened"
},
"query": {
"match": {
"event.action": {
"query": "socket_opened",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
"key": "destination.ip",
"negate": true,
"params": {
"query": "127.0.0.1"
},
"type": "phrase",
"value": "127.0.0.1"
},
"query": {
"match": {
"destination.ip": {
"query": "127.0.0.1",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index",
"key": "destination.ip",
"negate": true,
"params": {
"query": "::1"
},
"type": "phrase",
"value": "::1"
},
"query": {
"match": {
"destination.ip": {
"query": "::1",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Linux: Java Process Connecting to the Internet",
"query": "not destination.ip: 10.0.0.0/8 and not 172.16.0.0/12",
"risk_score": 50,
"rule_id": "7f65b8c5-27ed-4cf6-a088-3a20d2f84bf5",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_lzop_activity_possible_julianrunnels.json
View file

@ -1,17 +0,0 @@
{
"description": "Linux lzop activity - possible @JulianRunnels",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Linux lzop activity - possible @JulianRunnels",
"query": "process.name:lzop",
"risk_score": 50,
"rule_id": "d89b05b1-9b2b-45ea-9876-4a74550af6a6",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

93
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_unusual_shell_activity.json
View file

@ -1,93 +0,0 @@
{
"description": "Linux unusual shell activity",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "process.name",
"negate": true,
"params": {
"query": "bash"
},
"type": "phrase",
"value": "bash"
},
"query": {
"match": {
"process.name": {
"query": "bash",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
"key": "process.executable",
"negate": true,
"params": {
"query": "/bin/dash"
},
"type": "phrase",
"value": "/bin/dash"
},
"query": {
"match": {
"process.executable": {
"query": "/bin/dash",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
"key": "process.name",
"negate": true,
"params": {
"query": "ReportCrash"
},
"type": "phrase",
"value": "ReportCrash"
},
"query": {
"match": {
"process.name": {
"query": "ReportCrash",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Linux unusual shell activity",
"query": "process.name:*sh",
"risk_score": 50,
"rule_id": "4cc78842-f8a9-4a20-b703-a596c4f24e4f",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

68
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/powershell_network_connection.json
View file

@ -1,68 +0,0 @@
{
"description": "Powershell network connection",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "Network connection detected (rule: NetworkConnect)"
},
"type": "phrase",
"value": "Network connection detected (rule: NetworkConnect)"
},
"query": {
"match": {
"event.action": {
"query": "Network connection detected (rule: NetworkConnect)",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
"key": "destination.ip",
"negate": true,
"params": {
"query": "169.254.169.254"
},
"type": "phrase",
"value": "169.254.169.254"
},
"query": {
"match": {
"destination.ip": {
"query": "169.254.169.254",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Powershell network connection",
"query": "process.name:powershell.exe",
"risk_score": 50,
"rule_id": "8e792144-39a6-4a63-9779-2f12719dc132",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_execution_via_wmi.json
View file

@ -1,17 +0,0 @@
{
"description": "Process Execution via WMI",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Process Execution via WMI",
"query": "process.name:scrcons.exe",
"risk_score": 50,
"rule_id": "14ba7cd9-1489-459b-99a4-153c7a3f9abb",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

43
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_acrobat_reader_possible_payload.json
View file

@ -1,43 +0,0 @@
{
"description": "Process started by Acrobat reader - possible payload",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "Process Create (rule: ProcessCreate)"
},
"type": "phrase",
"value": "Process Create (rule: ProcessCreate)"
},
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Process started by Acrobat reader - possible payload",
"query": "process.parent.name:AcroRd32.exe",
"risk_score": 50,
"rule_id": "c359628d-d5af-4a20-99df-aeeea109b690",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

43
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_ms_office_program_possible_payload.json
View file

@ -1,43 +0,0 @@
{
"description": "Process started by MS Office program - possible payload",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "Process Create (rule: ProcessCreate)"
},
"type": "phrase",
"value": "Process Create (rule: ProcessCreate)"
},
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Process started by MS Office program - possible payload",
"query": " process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"risk_score": 50,
"rule_id": "3181b814-08e3-43f9-b77a-a2530603b131",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/process_started_by_windows_defender.json
View file

@ -1,17 +0,0 @@
{
"description": "Process started by Windows Defender",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Process started by Windows Defender",
"query": "parent.process.name:MsMpEng.exe",
"risk_score": 50,
"rule_id": "b3da3321-417d-494b-854c-b40369e063f0",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/psexec_activity.json
View file

@ -1,17 +0,0 @@
{
"description": "PSexec activity",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "PSexec activity",
"query": "process.name:PsExec.exe or process.name:PsExec64.exe",
"risk_score": 50,
"rule_id": "9511b7f4-3898-4813-8bd3-d810b03148ab",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

66
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/search_windows_10.json
View file

@ -1,66 +0,0 @@
{
"description": "(Search) Windows 10",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "agent.hostname",
"negate": false,
"params": {
"query": "LAPTOP-CQNI37L2"
},
"type": "phrase"
},
"query": {
"match": {
"agent.hostname": {
"query": "LAPTOP-CQNI37L2",
"type": "phrase"
}
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
"key": "event.provider",
"negate": false,
"params": {
"query": "Microsoft-Windows-Sysmon"
},
"type": "phrase"
},
"query": {
"match": {
"event.provider": {
"query": "Microsoft-Windows-Sysmon",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "(Search) Windows 10",
"query": "",
"risk_score": 50,
"rule_id": "5d00c579-794c-4f64-be52-1ed8cae2b11e",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_child_processes_of_spoolsvexe.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Child Processes of Spoolsv.exe",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Child Processes of Spoolsv.exe",
"query": "process.parent.name:spoolsv.exe and not process.name:regsvr32.exe ",
"risk_score": 50,
"rule_id": "2f026c73-bb63-455e-abdf-f11f463acf0d",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_large_outbound_icmp_packets.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Detect Large Outbound ICMP Packets",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Detect Large Outbound ICMP Packets",
"query": "network.transport:icmp and network.bytes>1000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16",
"risk_score": 50,
"rule_id": "e108c0c6-5ee8-47a0-8c23-ec47ba3a9b00",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_long_dns_txt_record_response.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Detect Long DNS TXT Record Response",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Detect Long DNS TXT Record Response",
"query": "network.protocol:dns and server.bytes>100 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not destination.ip:169.254.169.254 and not destination.ip:127.0.0.53",
"risk_score": 50,
"rule_id": "2cdf84be-1c9c-4184-9880-75b9a6ddeaba",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_new_local_admin_account.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Detect New Local Admin account",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Detect New Local Admin account",
"query": "event.code:(4720 or 4732) and winlog.event_data.TargetUserName:Administrators",
"risk_score": 50,
"rule_id": "030fc8e4-2c5f-4cc9-a6bd-2b6b7b98ae16",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_psexec_with_accepteula_flag.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Detect PsExec With accepteula Flag",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Detect PsExec With accepteula Flag",
"query": "process.name:PsExec.exe and process.args:\"-accepteula\"",
"risk_score": 50,
"rule_id": "4b63cf13-9043-41e3-84ec-6e39eb0d407e",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_detect_use_of_cmdexe_to_launch_script_interpreters.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Detect Use of cmd.exe to Launch Script Interpreters",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.name:(\"wscript.exe\" or \"cscript.exe\") and process.parent.name:\"cmd.exe\"",
"risk_score": 50,
"rule_id": "f4388e4c-ec3d-41b3-be5c-27c11f61473c",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_created_by_netsh.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Processes created by netsh",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Processes created by netsh",
"query": "process.parent.name:netsh.exe",
"risk_score": 50,
"rule_id": "ce7a0bde-7406-4729-a075-a215f4571ff6",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_processes_launching_netsh.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Processes launching netsh",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Processes launching netsh",
"query": "process.name:netsh.exe and event.action:\"Process Create (rule: ProcessCreate)\" ",
"risk_score": 50,
"rule_id": "600dba95-f1c6-4a4d-aae1-c79cbd8a5ddd",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_protocols_passing_authentication_in_cleartext.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Protocols passing authentication in cleartext",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Protocols passing authentication in cleartext",
"query": "destination.port:(21 or 23 or 110 or 143) and network.transport:tcp",
"risk_score": 50,
"rule_id": "f4442e7f-856a-4a4a-851b-c1f9b97b0d39",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/splunk_windows_event_log_cleared.json
View file

@ -1,17 +0,0 @@
{
"description": "Splunk - Windows Event Log Cleared",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Splunk - Windows Event Log Cleared",
"query": "event.code:(1102 or 1100)",
"risk_score": 50,
"rule_id": "c0747553-4652-4e74-bc86-898f2daa2bde",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

43
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/suspicious_process_started_by_a_script.json
View file

@ -1,43 +0,0 @@
{
"description": "Suspicious process started by a script",
"enabled": false,
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "event.action",
"negate": false,
"params": {
"query": "Process Create (rule: ProcessCreate)"
},
"type": "phrase",
"value": "Process Create (rule: ProcessCreate)"
},
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "Suspicious process started by a script",
"query": "(process.parent.name:cmd.exe or process.parent.name:cscript.exe or process.parent.name:mshta.exe or process.parent.name:powershell.exe or process.parent.name:rundll32.exe or process.parent.name:wscript.exe or process.parent.name:wmiprvse.exe) and (process.name:bitsadmin.exe or process.name:certutil.exe or mshta.exe or process.name:nslookup.exe or process.name:schtasks.exe)",
"risk_score": 50,
"rule_id": "e49b532b-3e52-4f3d-90f6-05a86982d347",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}

17
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windump_activity.json
View file

@ -1,17 +0,0 @@
{
"description": "WinDump activity",
"enabled": false,
"filters": [],
"from": "now-6m",
"immutable": true,
"interval": "5m",
"language": "kuery",
"name": "WinDump activity",
"query": "process.name:WinDump.exe",
"risk_score": 50,
"rule_id": "61c56cf4-0c08-4ad5-83ea-d2fe6ac62fa8",
"severity": "low",
"to": "now",
"type": "query",
"version": 1
}