[Detection Rules] Add updates from 7.11.2 rules (elastic#91553)

* [Detection Rules] Add 7.11.2 rules * update timestamp_override fields for certain rules
brokensound77 · Feb 17, 2021 · 65e468a · 65e468a
1 parent f9785ec
commit 65e468a
Show file tree

Hide file tree

Showing 356 changed files with 716 additions and 360 deletions.
diff --git a/...ution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json b/...ution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json
@@ -23,6 +23,7 @@
     "Elastic",
     "APM"
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }
diff --git a/...ver/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json b/...ver/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json
@@ -23,6 +23,7 @@
     "Elastic",
     "APM"
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }
diff --git a/...ity_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json b/...ity_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json
@@ -41,6 +41,7 @@
     "Elastic",
     "APM"
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }
diff --git a/...y_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json b/...y_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json
@@ -23,6 +23,7 @@
     "Elastic",
     "APM"
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 4
+  "version": 5
 }
diff --git a/...etection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json b/...etection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json
@@ -31,6 +31,7 @@
     "SecOps",
     "Configuration Audit"
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/...lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json b/...lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json
@@ -31,6 +31,7 @@
     "SecOps",
     "Network Security"
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/...ver/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json b/...ver/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json
@@ -31,6 +31,7 @@
     "SecOps",
     "Network Security"
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/...r/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json b/...r/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json
@@ -49,6 +49,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...etection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json b/...etection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json
@@ -45,6 +45,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/...etection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json b/...etection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json
@@ -46,6 +46,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...r/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json b/...r/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json
@@ -46,6 +46,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...epackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json b/...epackaged_rules/collection_persistence_powershell_exch_mailbox_activesync_add_device.json
@@ -45,6 +45,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/...r/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json b/...r/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json
@@ -62,6 +62,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...ion/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json b/...ion/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json
@@ -41,6 +41,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/...ib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json b/...ib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_beacon.json
@@ -56,6 +56,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...ne/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json b/...ne/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json
@@ -53,6 +53,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/.../lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json b/.../lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json
@@ -39,6 +39,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/...tion_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json b/...tion_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json
@@ -38,6 +38,7 @@
       "technique": []
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...ne/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json b/...ne/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json
@@ -44,6 +44,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/...ion_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json b/...ion_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json
@@ -39,6 +39,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 1
+  "version": 2
 }
diff --git a/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json b/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_fin7_c2_behavior.json
@@ -55,6 +55,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...ckaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json b/...ckaged_rules/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.json
@@ -51,6 +51,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json b/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_halfbaked_beacon.json
@@ -56,6 +56,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/..._rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json b/..._rules/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.json
@@ -51,6 +51,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...ction_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json b/...ction_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json
@@ -36,6 +36,7 @@
       "technique": []
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }
diff --git a/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json b/...er/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json
@@ -55,6 +55,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }
diff --git a/...ngine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json b/...ngine/rules/prepackaged_rules/command_and_control_port_8000_activity_to_the_internet.json
@@ -36,6 +36,7 @@
       "technique": []
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...repackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json b/...repackaged_rules/command_and_control_pptp_point_to_point_tunneling_protocol_activity.json
@@ -36,6 +36,7 @@
       "technique": []
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }
diff --git a/...gine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json b/...gine/rules/prepackaged_rules/command_and_control_proxy_port_activity_to_the_internet.json
@@ -36,6 +36,7 @@
       "technique": []
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/.../prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json b/.../prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json
@@ -66,6 +66,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...ngine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json b/...ngine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json
@@ -42,6 +42,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...tection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json b/...tection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json
@@ -44,6 +44,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 2
+  "version": 3
 }
diff --git a/...ib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json b/...ib/detection_engine/rules/prepackaged_rules/command_and_control_smtp_to_the_internet.json
@@ -51,6 +51,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json b/...rules/prepackaged_rules/command_and_control_sql_server_port_activity_to_the_internet.json
@@ -36,6 +36,7 @@
       "technique": []
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...ngine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json b/...ngine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_from_the_internet.json
@@ -66,6 +66,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/..._engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json b/..._engine/rules/prepackaged_rules/command_and_control_ssh_secure_shell_to_the_internet.json
@@ -36,6 +36,7 @@
       "technique": []
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...ion_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json b/...ion_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json
@@ -71,6 +71,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/...ction_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json b/...ction_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json
@@ -42,6 +42,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 1
+  "version": 2
 }
diff --git a/...ib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json b/...ib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json
@@ -66,6 +66,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 5
+  "version": 6
 }
diff --git a/...tion_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json b/...tion_engine/rules/prepackaged_rules/command_and_control_tor_activity_to_the_internet.json
@@ -49,6 +49,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...repackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json b/...repackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json
@@ -57,6 +57,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/.../prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json b/.../prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json
@@ -42,6 +42,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 6
+  "version": 7
 }
diff --git a/...ection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json b/...ection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json
@@ -44,6 +44,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "query",
-  "version": 3
+  "version": 4
 }
diff --git a/...ver/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json b/...ver/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json
@@ -42,6 +42,7 @@
       ]
     }
   ],
+  "timestamp_override": "event.ingested",
   "type": "eql",
-  "version": 1
+  "version": 2
 }